Partycraft
WarnAudited by ClawScan on May 10, 2026.
Overview
Partycraft is a local event planner, but its script builds Python code from event, task, and guest text, so crafted input could run code on your computer.
Review or fix scripts/script.sh before installing. In particular, avoid letting the agent pass untrusted invitation text, vendor messages, guest names, or task descriptions into Partycraft until the Python heredoc interpolation is replaced with safe argument handling. Also be aware that event data is stored locally in ~/.partycraft/events.json.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or user passes crafted event names, budgets, tasks, or guest names to the script, that input could run commands under the local user account.
Command arguments are expanded directly into Python source code inside heredocs instead of being passed as safely encoded data. Values containing quotes or Python syntax could break out of the intended string and execute arbitrary Python.
python3 << PYEOF ... "name": "$name", "date": "$date", "type": "$type" ... append({"text": "$task_text", "done": False})Do not use this script with untrusted text until it is fixed. Pass arguments to Python via argv, environment variables, or JSON encoding, and avoid constructing Python source with shell-expanded user input.
Guest lists, budgets, and planning details remain on disk after use and may later be shown back to the agent or anyone with access to that local account.
The skill persistently stores event details, budgets, tasks, and guest names locally. This is disclosed and aligned with the planner purpose, but it is still personal data that can be reread in future outputs.
All data is stored locally in `~/.partycraft/` ... `budget` ... `guests` ... Event data is persisted in `~/.partycraft/events.json`
Avoid storing sensitive personal details unless needed, and review or delete ~/.partycraft/events.json when you no longer want the data retained.
The skill may not run as expected unless the local command wiring, bash, and python3 are available.
The package includes an executable script and the SKILL.md documents bash/python3 requirements, while the registry metadata declares no install spec and no required binaries. This is a dependency/declaration gap, not evidence of hidden remote installation.
Install specifications: No install spec — this is an instruction-only skill. Required binaries ... none. Code file presence: scripts/script.sh
Make the install and runtime requirements explicit, and ensure users know whether scripts/script.sh is exposed as the partycraft command.