← 返回 Skills 市场
Opencron Skill Repo
作者
Floris Jan-Werner van der Harst
· GitHub ↗
· v1.0.1
· MIT-0
214
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install opencron-skill-repo
功能描述
Visual cron job dashboard for OpenClaw — live countdown timers, run history, calendar view
安全使用建议
This skill appears to implement the dashboard it describes, but there are clear inconsistencies and a real risk of leaking your gateway token. Things to consider before installing:
- The SKILL.md and scripts use OPENCLAW_GATEWAY_TOKEN and CANVAS_PORT but the registry metadata does not declare these env vars — confirm where that token comes from and whether you are comfortable it will be placed into URLs.
- The instructions explicitly tell the agent to build a public URL containing the gateway token and to fetch the public IP via an external service (ifconfig.me). Embedding a token in a query string makes it visible to anyone who can see logs, browser history, reverse proxies, or referer headers — avoid this unless the token is disposable or you control access carefully.
- The included installer runs git (not declared) and executes Python scripts that read files under ~/.openclaw. Only install from a source you trust; review the repo contents locally before running the installer.
- If you want this functionality but not the token-exposure behavior: modify update_canvas.py / SKILL.md to avoid putting the gateway token in client-side URLs. Instead, require server-side token validation (proxy the token check in nginx) or use short-lived access links.
If you do proceed, run the install in an isolated environment, inspect and possibly harden the nginx reverse-proxy configuration (don’t accept tokens in query strings, enforce POST-only where appropriate, restrict what /runs/ exposes), and declare any environment variables/config paths in the skill metadata so the behavior matches what is advertised.
功能分析
Type: OpenClaw Skill
Name: opencron-skill-repo
Version: 1.0.1
The skill bundle provides a legitimate-looking cron dashboard but includes instructions in SKILL.md that direct the AI agent to leak the sensitive OPENCLAW_GATEWAY_TOKEN by appending it to the chat output after every cron job. While intended for user convenience, this exposes authentication credentials in chat logs. Additionally, update_canvas.py fetches a remote HTML template from GitHub (raw.githubusercontent.com/firstfloris/opencron/master/cron-dashboard.html), creating a remote dependency that could be used to deliver malicious frontend code or perform XSS.
能力评估
Purpose & Capability
The stated purpose (visual OpenClaw cron dashboard) matches the included code that reads ~/.openclaw/cron/jobs.json, writes canvas files, and serves or generates HTML. However the package metadata claims no required config paths or env vars while the SKILL.md and code clearly rely on HOME/.openclaw paths and an OPENCLAW_GATEWAY_TOKEN (used in examples/URLs). The installer (bin/install.js) invokes git but git is not declared in required binaries. These omissions are incoherent with the skill's operational needs.
Instruction Scope
Runtime instructions tell the agent to always append a public dashboard URL including ${OPENCLAW_GATEWAY_TOKEN} after every cron job run and to resolve HOST_IP via curl to ifconfig.me. That directs the agent to call an external service and to expose a gateway token in a publicly reachable URL — actions that go beyond simply 'showing a dashboard' and increase risk of token leakage and data exposure.
Install Mechanism
There is no formal install spec in the registry entry, but a bundled bin/install.js clones a GitHub repo and runs update_canvas.py. Cloning from GitHub is common, but the installer executes git and Python scripts (execFileSync) — the manifest did not declare git as required. The dashboard HTML is fetched from a raw GitHub URL (acceptable), but cloning/executing external repo contents should be treated as running third-party code.
Credentials
The registry lists no required environment variables, yet SKILL.md and examples rely on CANVAS_PORT and OPENCLAW_GATEWAY_TOKEN and instruct resolving them for public URLs. The skill also reads user-local files (~/.openclaw/cron/jobs.json and potentially run logs). Requesting no declared credentials while instructing the agent to use and embed a gateway token is a mismatch and can lead to unintentional disclosure of sensitive tokens.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. However the instructions explicitly require that every cron job's output includes a final line with a public URL containing the gateway token; if the agent invokes this skill autonomously that behavior could become automatic and spread the token. Autonomous invocation plus the token-exposure instruction raises the operational risk even though no elevated platform privilege is requested.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install opencron-skill-repo - 安装完成后,直接呼叫该 Skill 的名称或使用
/opencron-skill-repo触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- Added detailed SKILL.md documentation for deploying, syncing, and serving the OpenCron visual dashboard for OpenClaw cron jobs.
- Included feature overview, quick start steps, script explanations, external access setup, and demo usage instructions.
- Provided security notes, environment configuration guidance, and usage rules for public dashboard access.
元数据
常见问题
Opencron Skill Repo 是什么?
Visual cron job dashboard for OpenClaw — live countdown timers, run history, calendar view. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 214 次。
如何安装 Opencron Skill Repo?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install opencron-skill-repo」即可一键安装,无需额外配置。
Opencron Skill Repo 是免费的吗?
是的,Opencron Skill Repo 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Opencron Skill Repo 支持哪些平台?
Opencron Skill Repo 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Opencron Skill Repo?
由 Floris Jan-Werner van der Harst(@firstfloris)开发并维护,当前版本 v1.0.1。
推荐 Skills