Chinese Holiday Assistant
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a straightforward holiday-checking skill, with only low-risk notes around public calendar downloads, Python dependencies, and a disclosed cron-style updater.
This skill is reasonable to install if you want a local Chinese holiday checker. Before enabling updates, verify the calendar URLs in config.json, install Python dependencies from trusted sources, and approve any cron job explicitly.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the update script will contact the configured calendar source and replace the skill's local holiday calendar data.
The helper script performs an outbound HTTP request and writes the response to the local holiday data file. This is disclosed and purpose-aligned, but users should know updates replace local data.
response = requests.get(url, timeout=10)
...
with open(DATA_PATH, 'wb') as f:
f.write(response.content)Use only trusted calendar URLs and run updates intentionally; review config.json before relying on automatic or manual updates.
If dependencies are installed manually, the user must trust the package source and versions they choose.
The skill depends on Python packages but provides no install spec or pinned dependency manifest. This is common for small helper skills, but it leaves dependency installation to the user.
已安装依赖 / Installed dependencies: `requests`, `icalendar`
Install dependencies from trusted package repositories and consider pinning versions in your own environment.
If a cron job is enabled, the skill could periodically make network requests and update its local calendar data without a fresh prompt each time.
The skill describes a monthly cron-based updater, which is persistent background activity. It is disclosed and aligned with keeping calendar data current, and no hidden cron installer is present in the provided files.
**自动更新 / Automatic Update**:通过 `cron` 定时任务每月自动拉取最新日历数据。
Only enable the cron update with explicit user approval, keep the cron entry visible, and make sure it is easy to disable.