Back to skill
Skillv0.1.5
ClawScan security
Meetup Planner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 12, 2026, 10:00 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (finding and tracking events) aligns with what it asks to do: create a local workspace, run scheduled searches, and use web search/scraping tools; there are no unexplained permissions or hidden endpoints, but you should review and trust any scraping/search tools you provide and approve the cron setup.
- Guidance
- This skill appears to be what it says: an event finder that stores data locally and runs scheduled searches. Before installing, verify the repository/source (SKILL.md/package.json point to a GitHub repo) and confirm you trust it. Important points to consider: 1) The skill requires you to supply web search/scraping tools — those tools, not this skill, may require API keys or send data off your machine, so only provide trusted tools and review their permissions. 2) The skill will create files under ~/.openclaw/workspace/meetup-planner/ and may add a cron job; review the exact cron entry before enabling automation. 3) There are no requested environment variables or unrelated system accesses, but review any prompts during bootstrap carefully (especially if asked to install third-party scrapers). If you want extra caution, install but do not enable automated daily searches until you inspect the created files and approve the cron job and any external-tool credentials.
Review Dimensions
- Purpose & Capability
- okName and description match the requested permissions and behavior: network access to event sites (eventbrite, meetup, luma) and read/write access to a single workspace directory (~/.openclaw/workspace/meetup-planner/) are coherent with an event-discovery/tracking skill. Minor metadata mismatch: registry lists source/homepage as unknown/none while SKILL.md and package.json include a GitHub repo URL; this is likely a packaging/registry metadata issue but worth verifying.
- Instruction Scope
- okRuntime instructions are concrete and stay within the stated purpose: interactive preference collection, reading/writing config and data files in the declared workspace, running searches and scrapes via separate search/crawl tools, and scheduling reminders. The skill explicitly requires you to provide or confirm web search/scraping capabilities before proceeding. It does not instruct the agent to read unrelated system files or other skills' configs.
- Install Mechanism
- okThis is an instruction-only skill with no install script or code to download/execute. That lowers risk: the skill will only create local workspace files and instruct the agent to set up cron jobs. The package.json lists permissions, but there is no automatic installer that fetches remote code.
- Credentials
- noteThe skill requests no environment variables or unrelated credentials (good). However it depends on external search/scraping tools you must provide; those tools may require API keys or credentials and will perform network requests. The SKILL.md asserts that only search queries and event URLs (and any credentials required by your tools) are sent; this is plausible but not enforceable by the skill itself. Treat third-party scraping/search tools as the primary source of credential/network risk.
- Persistence & Privilege
- noteThe skill will create local files and (optionally) add a cron job to run daily searches and schedule reminders. It does not request 'always: true' or persistent system-wide privileges beyond modifying the user's own cron and workspace directory. Adding scheduled tasks is expected for this functionality but is a change you should explicitly approve during setup.