ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Apple Calendar Manager

v1.0.0

Manage Apple Calendar events via AppleScript. Create, edit, delete, and search calendar events.

0· 440·0 current·0 all-time
by@cryptol0rd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to manage Apple Calendar via AppleScript and includes helper shell scripts, which is coherent. However SKILL.md and add_event_smart.sh call an add_event.scpt AppleScript that is not included in the package — a critical missing piece. The skill also fails to declare that it needs the 'osascript' binary (used to run AppleScript). These omissions make the packaged contents insufficient for the stated purpose.
Instruction Scope
Instructions limit runtime actions to local AppleScript control of Calendar (osascript) and local date parsing; there are no network calls or attempts to read unrelated system files. However, the scripts assume Calendar GUI automation permission and a specific path (skills/apple-calendar-manager/add_event.scpt). The included parse_relative_date.sh contains logic bugs (weekday matching/translations are inconsistent) that could cause parsing failures or errors when given Russian weekday names.
Install Mechanism
This is instruction-only with two small included shell scripts and no install/download step. No remote URLs or archive extraction are used — low install risk.
Credentials
No environment variables or external credentials are requested, which is proportionate. The skill will require user-level Calendar automation permission on macOS; that privilege is appropriate for the stated functionality but should be granted intentionally. The SKILL.md does not declare the required 'osascript' dependency.
Persistence & Privilege
always is false and there is no install script that attempts to persistently modify agent or system configuration. The skill does not request elevated or persistent privileges.
What to consider before installing
This package mostly looks like a local Apple Calendar helper, but do not install or run it yet. Key issues to check before proceeding: - The SKILL.md and add_event_smart.sh call add_event.scpt, but add_event.scpt is not included — request the missing AppleScript file and inspect it for any unexpected behavior (network calls, file writes, credentials exfiltration) before running. - The scripts invoke 'osascript' (AppleScript runner) but the skill doesn't declare that dependency; ensure your environment is macOS and you understand that osascript will control Calendar.app and will require you to grant automation permissions. - parse_relative_date.sh has logic bugs around weekday handling and Russian weekday support; test thoroughly to avoid creating events at the wrong time. - Because the skill controls a local app, it can create/modify calendar events — only grant automation permission if you trust the inspected AppleScript implementation. - If you obtain the missing add_event.scpt, review its source for any network access or file-system operations. Prefer running in a controlled account/profile and back up important calendar data before use. If the author provides the missing AppleScript and fixes the parsing logic and dependency declarations, the skill appears coherent and low-risk; as-is, missing components and inconsistencies make it suspicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk97136ys44fs3t0xch2vr1kmb181ssmk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments