ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

temporal-cortex-datetime

v0.9.1

Convert timezones, resolve natural language times ("next Tuesday at 2pm"), compute durations, and adjust timestamps with DST awareness. No credentials needed...

1· 694·2 current·2 all-time
byBilly Lui@billylui
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (timezone conversion, NL times, DST-aware adjustments) align with declared requirements: only npx is required and a single MCP server binary is installed. The listed config path (~/.config/temporal-cortex/config.json) plausibly supports user timezone/week-start preferences.
Instruction Scope
SKILL.md restricts runtime actions to running a local MCP server over stdio and reading the config.json. It claims 'no filesystem writes' at runtime but the installation process will write the binary into the npm install cache / bin path; the binary also reads the config file. Instructions are otherwise scoped to the datetime task and do not request extra files, env vars, or network calls at runtime.
Install Mechanism
Install uses an npm package that (via postinstall) downloads a platform binary from GitHub Releases and verifies SHA256 against an embedded checksums.json. This is coherent with the described design but is a supply-chain step that writes a binary to disk — higher risk than a pure instruction-only skill. The SKILL.md provides a verification pipeline and Docker build/run options for containment.
Credentials
The skill requests no environment variables or credentials and only a single config path for user preferences. That is proportionate to the stated functionality.
Persistence & Privilege
always:false and normal model invocation. The skill will install a binary via npm (one-time) and run a local process; it does not request permanent platform-wide privileges, nor does it modify other skills. This level of persistence is typical for a packaged native helper.
Assessment
This skill appears coherent for offline datetime parsing, but the main risk is the one-time binary installation from a third-party package. Before installing: (1) inspect the referenced repository and release assets (github.com/temporal-cortex/mcp) and confirm the release checksum matches the binary you will receive; (2) follow SKILL.md's verification steps (npm pack --dry-run, compare SHA256 to release SHA256SUMS.txt); (3) consider running the MCP server inside Docker with network disabled for extra containment; (4) be aware npm will write the binary into your npm cache / global bin location and the binary will read ~/.config/temporal-cortex/config.json. If you cannot or do not want to verify the binary/source, do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk9744rstqtbvhz7jk4hd46n9xd82mxva

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnpx
Config~/.config/temporal-cortex/config.json

Install

Node
Bins: cortex-mcp
npm i -g @temporal-cortex/cortex-mcp@0.9.1

Comments