ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Jetlag Planner

v0.1.0

Scans your Google Calendar for upcoming flights and writes a personalized circadian adjustment plan back to your calendar. Trigger with phrases like "check m...

0· 304·0 current·0 all-time
by@chadholdorf

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for chadholdorf/openclaw-jetlag.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Jetlag Planner" (chadholdorf/openclaw-jetlag) from ClawHub.
Skill page: https://clawhub.ai/chadholdorf/openclaw-jetlag
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install chadholdorf/openclaw-jetlag

ClawHub CLI

Package manager switcher

npx clawhub@latest install openclaw-jetlag
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill legitimately needs Google OAuth credentials and Node.js to access and modify your Google Calendar, but the registry metadata declares no required env vars or binaries. That mismatch (no declared GOOGLE_CLIENT_ID/SECRET or Node requirement) is an incoherence you should understand before installing.
Instruction Scope
SKILL.md explicitly instructs the agent to check for files in ~/openclaw-jetlag (.env and .oauth-token.json) and to run `cd ~/openclaw-jetlag && node index.js`, capturing stdout/stderr. The runtime instructions scope is otherwise limited to calendar scanning and writing events; they do not instruct exfiltration to third-party endpoints. However they do require access to local files and to run a local binary (node).
!
Install Mechanism
There is no install spec in the registry, yet the code (README and SKILL.md) expects you to clone the repo and run `npm install` / `node index.js`. The skill includes code and npm dependencies but does not declare Node/npm as required binaries in metadata — this is an inconsistency and increases accidental misconfiguration risk.
!
Credentials
The skill requires sensitive environment values (GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET stored in a .env) and will persist OAuth tokens to .oauth-token.json to allow future autonomous runs. Those credentials are necessary for the stated Calendar access, so their request is proportionate — but the skill failed to declare them in metadata, which is a red flag. README's suggestion to 'ask your Claw bot for the Client ID/Secret' raises additional caution about how credentials might be sourced.
Persistence & Privilege
The skill writes an OAuth token file (.oauth-token.json) and will create many calendar events in your Google Calendar. It does not request 'always: true' or modify other skills. The combination of autonomous invocation (default) plus saved OAuth credentials means once authorized the skill can run without interactive approval — that is expected for this use but worth noting.
What to consider before installing
What to consider before installing: - This skill requires Node.js >=18 and a Google OAuth Client ID/Secret (put in ~/openclaw-jetlag/.env) even though the registry metadata doesn't declare those — that mismatch is suspicious. Verify you will run the code in a directory you control and that you will create a dedicated Google OAuth client for this tool (do not reuse credentials from other apps). - The skill will save an OAuth token (.oauth-token.json) and then can autonomously read and write your Calendar events (it will create many reminder events). If you are uncomfortable with a skill creating calendar events automatically, do not install or run it. - Inspect index.js yourself (it is included) or run it in an isolated account/environment first. If you don't trust the unknown source, create a throwaway Google account and a separate Google Cloud OAuth client to test so your primary account's data and credentials are not exposed. - Ask the publisher for source provenance (why registry metadata omits required env vars and Node), or prefer a skill whose declared requirements match its runtime behavior.

Like a lobster shell, security has layers — review code before you run it.

calendarvk979qsn8sb9fyexb83w1njyqm982h811circadianvk979qsn8sb9fyexb83w1njyqm982h811jetlagvk979qsn8sb9fyexb83w1njyqm982h811latestvk979qsn8sb9fyexb83w1njyqm982h811travelvk979qsn8sb9fyexb83w1njyqm982h811
304downloads
0stars
1versions
Updated 14h ago
v0.1.0
MIT-0
@chadholdorf
calendarcircadianjetlaglatesttravel
Download

Run the jetlag planner by following these steps exactly.

Step 1 — Check for .env

Check whether the file ~/openclaw-jetlag/.env exists.

If it does not exist, stop immediately and reply:

⚠️ No .env file found in ~/openclaw-jetlag/. You need to add your Google OAuth credentials before I can run the planner. Follow the setup instructions in the README — ask me "show me the jetlag setup instructions" if you need them.

Step 2 — Check for .oauth-token.json

Check whether the file ~/openclaw-jetlag/.oauth-token.json exists.

If it does not exist, stop immediately and reply:

⚠️ Google authorization hasn't been completed yet. Run this once in your terminal to finish setup:

cd ~/openclaw-jetlag && node index.js

It will open a browser, ask you to sign in to Google, and save your authorization. After that, just say "check my flights" again and I'll handle it from here.

Step 3 — Run the planner

Run the following command and capture all output (stdout and stderr):

cd ~/openclaw-jetlag && node index.js

Step 4 — Report back

Reply with a short, plain-language Telegram-friendly summary. Do not dump raw output. Instead:

  • If flights were detected and plans were written, say which flights were found (route and date) and how many calendar events were created total.
  • If the output says no flight events were found, reply: "No upcoming flights found in your calendar for the next 90 days. If you have flights coming up, check that your airline confirmation emails are in the Gmail account linked to this calendar."
  • If flights were found but all were skipped (under 2-hour timezone shift), reply: "Found [N] flight(s) but all had under a 2-hour timezone shift, so no adjustment plan was needed."
  • If the command exited with a non-zero code or printed an error, relay the error message directly and suggest running cd ~/openclaw-jetlag && node index.js manually to see the full output.

Keep the reply under 5 sentences. No markdown headers in the Telegram reply — just plain text with line breaks between items if listing multiple flights.

Comments

Loading comments...