ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Timezone

v1.0.0

Stops your OpenClaw agent from reporting the wrong time. Prevents the common UTC-as-local mistake that makes agents look broken. Install this if your agent h...

0· 49·0 current·0 all-time
by@ferrentinomj-dev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match what the code and SKILL.md do: detect a timezone from USER.md or system, write tz_config.json, provide now.py for canonical time output, and patch AGENTS.md with standing rules. There are no unrelated environment variables or unexpected binaries requested.
Instruction Scope
SKILL.md instructions are explicit and match the code: run timezone_setup.py on first use (interactive or pre-populate tz_config.json for headless), always call now.py when outputting time, and use /timezone to view/change settings. The instructions do read/write USER.md, tz_config.json, and AGENTS.md as documented; they do not instruct the agent to read arbitrary secrets or send data externally.
Install Mechanism
This is an instruction-only skill with bundled Python scripts (no install spec, no downloads). No external packages are fetched by an installer; timezone resolution uses local system calls or standard Python libraries at runtime.
Credentials
The skill requires no environment variables or credentials. It reads USER.md and system timezone files (timedatectl, /etc/localtime, /etc/timezone) which is appropriate for determining a timezone; there are no unexplained secret accesses.
!
Persistence & Privilege
The skill writes to AGENTS.md (a workspace/global agent file) outside its own directory to append or update a 'Timezone Standing Order'. The code will patch AGENTS.md unconditionally in some code paths (the --set branch uses 'if args.patch_agents or True' which always triggers the patch), which is intrusive behavior to a system-wide file. While this is documented in SKILL.md, modifying a global agent instructions file is a higher-privilege action and worth noticing before install.
Assessment
What to consider before installing: - This skill is coherent with its stated purpose and does not request secrets or network access, but it will modify AGENTS.md (a global agent document) to insert timezone standing orders — review and back up AGENTS.md first. - timezone_setup.py will attempt to auto-detect local timezone via timedatectl, /etc/localtime, or /etc/timezone and falls back to interactive prompting; in headless setups you should pre-populate tz_config.json with a valid IANA name. - The setup script will always attempt to patch AGENTS.md in some code paths (the script contains an unconditional patch path); if you do not want automatic edits to AGENTS.md, inspect and run timezone_setup.py manually before granting it run privileges. - After install, verify tz_config.json contents and inspect any AGENTS.md changes to confirm the inserted standing order is acceptable. - If you want to be extra cautious, run the scripts in a sandboxed environment first to observe file modifications (they do not perform network calls or exfiltrate data).

Like a lobster shell, security has layers — review code before you run it.

latestvk977pycdhpt27hcxfkxwtadtsh84feav

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments