Back to skill
Skillv1.0.1
ClawScan security
Claw Calendar Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 7:19 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, runtime instructions, and requested environment variables are consistent with a calendar API client; nothing in the bundle suggests covert exfiltration or unrelated privilege requests.
- Guidance
- This skill appears to be a straightforward Claw Calendar API client. Before installing, ensure your agent runtime provides Node (the scripts are invoked with `node` but 'node' was not listed as a required binary). Use a least-privileged API key, keep CLAW_CALENDAR_API_KEY secret, and verify CLAW_CALENDAR_API_URL if you override the default (only trustworthy endpoints should be used). Because the package contains runnable scripts (no install steps), consider running them in an isolated environment or reviewing network logs to confirm requests go only to the intended API host (https://claw-calendar.com) before granting the key. If you need higher assurance, request the publisher/homepage or source provenance since the registry metadata has no homepage listed.
Review Dimensions
- Purpose & Capability
- noteThe skill declares and documents a Claw Calendar API integration and only requests CLAW_CALENDAR_API_KEY and CLAW_CALENDAR_API_URL, which map to that purpose. Minor inconsistency: the SKILL.md and scripts expect you to run 'node' (they call node scripts/*.js), but the registry metadata did not list 'node' as a required binary.
- Instruction Scope
- okSKILL.md instructs the agent to call included Node scripts and to set API-related env vars. The scripts only access the declared env vars and contact the declared API base URL; they do not reference other files, system paths, or unrelated credentials.
- Install Mechanism
- okThere is no install spec (instruction-only), and the packaged code is plain JavaScript with clear, readable network calls. No downloads from arbitrary URLs or extract/install steps are present.
- Credentials
- okOnly two environment variables are required: an API key (primary credential) and an API URL override. Both are appropriate and proportional to a REST API client. No unrelated secrets or broad system config are requested.
- Persistence & Privilege
- okalways:false and default autonomous invocation are used (normal). The skill does not request persistent system-wide changes or access to other skills' configurations.