ClawHub

Chinese Holiday Assistant

v1.0.2

Queries Chinese holidays, work-shift arrangements, and determines if a date is a workday based on synced iCloud data and weekly rules.

1· 182·1 current·1 all-time
by@claudecaicai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and config: the skill parses .ics files in data/, supports DTSTART/DTEND ranges, and can update the calendar by downloading from PRIMARY_URL/BACKUP_URL. The listed URLs in config.json (iCloud public holidays and a GitHub raw file) are consistent with the stated purpose.
Instruction Scope
Runtime instructions and scripts only read config.json and .ics files under data/ and optionally perform HTTP GET to configured URLs then write the downloaded calendar to data/cn_zh.ics. SKILL.md mentions a cron monthly update (no cron job provided) and claims upward-tracing of config.json; the code uses a fixed path (BASE_DIR/config.json) rather than walking upward, so the documentation slightly overstates behavior. Be aware the download step fetches remote content and writes it to disk.
Install Mechanism
This is an instruction-only skill with no install spec. It requires Python packages (requests, icalendar) noted in the README — reasonable and proportionate for the task. No arbitrary or opaque external installers are used.
Credentials
The skill requests no environment variables or credentials. config.json contains only URL strings for data sources. This is proportional. Caution: if you or a third party edits PRIMARY_URL/BACKUP_URL to point at an attacker-controlled host, the skill will download and write whatever content is served, so treat those URLs as trust-sensitive.
Persistence & Privilege
The skill does not request permanent inclusion (always:false), does not modify other skills or system-wide settings, and has no special privileges. It only writes a single calendar file under its data/ directory.
Assessment
This skill is coherent and low-risk but follows a few simple rules before you run it: - Inspect config.json to confirm PRIMARY_URL and BACKUP_URL are trusted sources (the default PRIMARY_URL is an iCloud public holidays feed; the backup is GitHub raw). Replace only with URLs you trust. - Running download_ics.py will perform HTTP GET(s) and overwrite data/cn_zh.ics — check the downloaded content if you need to guard against unexpected calendar entries. - Dependencies: install requests and icalendar in a controlled Python environment. - SKILL.md mentions automatic cron updates but doesn't provide a cron job; if you set a cron yourself, consider network restrictions. - The SKILL.md statement about upward-tracing for config.json is inconsistent with the code (it uses a fixed path), so verify config placement if you move the folder. If you accept those caveats (trusted URLs and the script's write behavior), the skill appears to be what it claims.

Like a lobster shell, security has layers — review code before you run it.

latestvk974b8vgtkm3jpm137dmhxec7583xn0t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments