ClawHub

macOS Calendar Assistant

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed macOS Calendar assistant, but it can read and change real calendar data and optionally install a daily local cron check.

Install only if you want an OpenClaw agent to access macOS Calendar. Review config.json, especially timezone and output_dir, keep date ranges narrow, use --dry-run before cleanup, and remember that install.sh adds a daily cron job until uninstall.sh removes it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
}}
sem.wait()
'''
    p = subprocess.run(["swift", "-"], input=code, capture_output=True, text=True)
    if p.returncode != 0:
        raise SystemExit(p.stderr or p.stdout)
    return p.stdout.strip()
Confidence
90% confidence
Finding
p = subprocess.run(["swift", "-"], input=code, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# If no candidates, remove exact by title/start as a fallback.
    if parse_candidates(cleanup.stdout) == 0:
        swift_code = f'''import EventKit\nimport Foundation\nlet store = EKEventStore()\nlet fmt = ISO8601DateFormatter()\nlet sem = DispatchSemaphore(value: 0)\nstore.requestAccess(to: .event) {{ granted, _ in\n  guard granted else {{ sem.signal(); return }}\n  guard let start = fmt.date(from: "{iso(start)}") else {{ sem.signal(); return }}\n  guard let cal = store.calendars(for: .event).first(where: {{$0.title == "{cal}"}}) else {{ sem.signal(); return }}\n  let pred = store.predicateForEvents(withStart: start, end: start.addingTimeInterval(60), calendars: [cal])\n  let events = store.events(matching: pred).filter {{$0.title == "{title}"}}\n  for e in events {{ try? store.remove(e, span: .thisEvent) }}\n  sem.signal()\n}}\nsem.wait()\n'''
        subprocess.run(["swift", "-"], input=swift_code, capture_output=True, text=True)

    print(json.dumps({
        "ok": True,
Confidence
76% confidence
Finding
subprocess.run(["swift", "-"], input=swift_code, capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documents shell execution plus file read/write behavior but does not declare corresponding permissions, creating a transparency and policy-enforcement gap. In an agent setting, undeclared capabilities can cause the skill to be invoked with more authority than users or orchestrators expect, increasing the chance of unintended filesystem changes or command execution.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README presents very broad natural-language examples like "add this event", "extend to 14:00", and "move to Friday night" for use across chat platforms. Without explicit activation boundaries, confirmation requirements, or scoping rules, ordinary conversation text could be misinterpreted as a command, causing unintended calendar modifications from ambient or forwarded chat content.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The Chinese section repeats the same issue by advertising vague commands such as "加个日程", "延长到14:00", and "改到周五晚上" without any activation guardrails. In an IM-integrated assistant that parses screenshots and chat text, this increases the chance of accidental command execution, cross-message confusion, or unauthorized updates triggered by ordinary language.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The invocation language is broad enough to match common chat, planning, or note-taking requests, which can cause the skill to trigger in contexts where users did not intend calendar modification. Because this skill can create, move, and delete-related calendar data through scripts, overbroad routing increases the risk of accidental side effects from ordinary conversation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documented cleanup command includes destructive flags (`--apply --confirm yes`) that can remove calendar entries, but the surrounding guidance does not prominently warn about deletion risk or require a stronger human-review step. In a skill intended for automation, such terse destructive instructions can lead to mass accidental data loss if invoked on the wrong range or with poor duplicate matching.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
Falling back to Asia/Shanghai without user opt-in can silently create or move events at incorrect times for users in other regions. In calendar automation, timezone errors directly affect scheduling integrity and can cause missed meetings, reminders firing at the wrong time, or incorrect conflict resolution.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
Defaulting silently to Asia/Shanghai can cause calendar operations to be created, moved, or interpreted in the wrong timezone when config and system detection both fail. In a calendar assistant, this can lead to missed meetings, incorrect reminders, and unintended schedule changes, especially in IM-driven automation where users may not notice the assumption immediately.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installer unconditionally rewrites the user's crontab by removing prior matching entries and installing a new scheduled job, without any explicit consent prompt or dry-run. This creates persistent behavior on the host and can surprise users, especially in an agent-skill context where installation may be initiated indirectly.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This script requests calendar access and then exports all matching event metadata, including titles, locations, and notes, directly to stdout with no in-script user notice, minimization, or confirmation of what sensitive fields will be disclosed. In the context of an IM-first assistant, this is especially risky because calendar contents often contain private schedules, meeting links, addresses, and sensitive notes that could be relayed to external systems or other agents once retrieved.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script updates and saves a calendar event immediately after finding a title match, with no user confirmation, dry-run, or secondary validation of the exact event selected. In an IM-first assistant context, this is risky because natural-language ambiguity, title collisions, or prompt/command injection upstream could cause unintended rescheduling of real user events without the user noticing until later.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This smoke test directly exercises scripts that read the user's calendars/events and invokes a cleanup routine against a real time window, but the file provides no safeguard such as an explicit test-only mode, confirmation prompt, or isolation to a mock calendar. In the context of a calendar-management skill, this is more dangerous because operators may run the smoke test on a workstation with real personal/work calendars, causing unintended data exposure or accidental modification/deletion if the cleanup script is not strictly read-only.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script can create or modify calendar events immediately based on provided arguments, with no built-in confirmation, approval gate, or policy check. In an IM-first assistant context, this increases the chance that misparsed chat content, prompt injection from messages/screenshots, or operator error results in silent calendar tampering.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal