ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

morning-brief

v1.0.0

每天早上8点自动推送当前日期、周数、节假日倒计时及本周、本月、本年时间进度百分比简报。

0· 110·0 current·0 all-time
by@foxseller
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: the code computes date, week, progress percentages, weekend days and holiday countdowns. Dependencies (axios, dayjs) and a small cache file are reasonable for this functionality.
Instruction Scope
SKILL.md describes a cron trigger and npm install; the provided skill.json/main.js implement a cron-triggered node action that prints the brief to stdout. The runtime does read/write a local cache (holidays_YEAR.json) and fetch remote holiday data, both of which are coherent with the stated purpose.
Install Mechanism
There is no platform install spec (instruction-only), which is low risk. The code performs an HTTP GET to https://www.shuyz.com/githubfiles/china-holiday-calender/master/holidayAPI.json to retrieve holiday data — this is a third-party mirror rather than the GitHub raw URL mentioned in SKILL.md. Fetching external JSON is expected here but using a non-obvious host is worth noting.
Credentials
The skill requests no environment variables, no credentials, and does not access unrelated configuration paths. Its filesystem access is limited to creating/reading a local cache file in the skill directory.
Persistence & Privilege
always is false and the skill does not modify other skills or global configs. It writes a small cache file under its own directory only, which is proportionate to its purpose.
Assessment
This skill appears to do what it claims and uses only dayjs and axios plus a small local cache. Before installing, consider: (1) verify or replace the holiday JSON URL — the SKILL.md cites a GitHub repo but the code fetches from shuyz.com; if you prefer, change the URL to the official raw.githubusercontent.com path or bundle the data to avoid remote fetches; (2) confirm your platform's scheduler will capture the script output and deliver the push as you expect (the script only logs to stdout); (3) review the cached holidays_YEAR.json after first run to ensure it contains expected data; and (4) run the script locally (npm install; node main.js) to inspect output and behavior. If you need higher assurance, ask the maintainer for the original upstream repo or a signed release.
!
main.js:27
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk975k1ywxn63eb42gpeh8nbpg9835hw7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments