Skillv1.0.0

ClawScan security

Caldav · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 24, 2026, 11:11 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement CalDAV and Radicale administration features that match its description, but there are several mismatches between the declared requirements and what the scripts actually do (calls to system binaries, reads/writes to system config paths, and curl examples that expose credentials), so review and caution are recommended before installing.
Guidance: This skill includes real Python scripts that manage CalDAV resources and administer a Radicale server; that means it will read local config files (e.g., ~/.config/caldav/config.json, /etc/radicale/*), inspect storage under /var/lib/radicale, and call system utilities (systemctl, pgrep, htpasswd, curl). Before installing or running it: - Expect to grant it access to local Radicale configuration and storage; run it only on systems you control and where you expect these admin actions. - Note the manifest only lists python3, but the scripts call other system binaries; ensure those tools exist and consider privilege requirements (some operations may need sudo). - Avoid using curl -u user:pass examples on shared machines or in logs — passing credentials on the command line can expose them via shell history/process lists. Prefer environment variables or protected config files. - Review the included scripts yourself (they are bundled) if you have concerns; they do not perform network exfiltration or obfuscated behavior in the provided code, but they do read system files and may modify htpasswd or storage. - If you lack experience managing system services or Radicale, test this skill in an isolated environment or container first. If you want, I can point out the exact lines where system calls and path reads occur or produce a short checklist of commands to run safely when evaluating this skill.

Review Dimensions

Purpose & Capability: noteName and description match the included Python scripts: calendars, events, todos, and Radicale management. The functionality (calendar CRUD, event/todo operations, Radicale admin) is coherent with the stated purpose. However, the SKILL metadata only declares python3 as a required binary while the scripts invoke other system utilities (systemctl, pgrep, htpasswd, curl) and access system paths (/etc/radicale, /var/lib/radicale). The presence of those system-level operations is reasonable for Radicale administration but is more privileged than the declared single dependency, which is a mismatch.
Instruction Scope: noteSKILL.md and the scripts instruct the agent/user to: install the caldav library; place credentials in environment variables or a config file; run the included Python scripts; and (for low-level ops) run curl commands with user:pass. The runtime code reads config files (~/ .config/caldav/config.json, /etc/caldav/config.json), Radicale config (/etc/radicale/config, ~/.config/radicale/config), users file (/etc/radicale/users), storage path (/var/lib/radicale/collections), and may write files (export ICS, import ICS, modify htpasswd via htpasswd). That scope is consistent with Radicale admin but includes access to system files and running system commands. The SKILL.md examples that show curl -u user:pass risk exposing credentials in shell history and process lists; this is an operational security concern but not unexpected for a CalDAV skill.
Install Mechanism: okThere is no automated install spec (instruction-only install), which minimizes the risk of arbitrary remote code fetch during install. The SKILL.md tells users to pip install the caldav library (and caldav[async] optionally) — a straightforward, expected dependency. Because code files are included in the skill bundle, no additional install steps are required by the skill itself. No remote download URLs or extract operations are present in the manifest.
Credentials: concernThe skill does not declare required environment variables in its registry metadata, yet the SKILL.md and utils.load_config() use CALDAV_URL, CALDAV_USER, CALDAV_PASSWORD and allow a config file. That alone is not malicious, but the Radicale management scripts read system configuration paths (/etc/radicale/config, /etc/radicale/users) and storage directories and run system commands which may require elevated privileges. The code does not request unrelated cloud or secret credentials, but it will read local sensitive files (htpasswd) and could expose configuration state. The mismatch between declared env requirements and the script behavior is notable.
Persistence & Privilege: okThe skill is not always-enabled and does not request any platform-level persistence privileges. It does perform administrative actions on the local system (reading/writing Radicale files, calling htpasswd, checking systemctl), which requires appropriate OS permissions, but it does not modify other skills or the agent runtime configuration.