ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw With Apple

v1.0.0

Apple iCloud 全功能访问 + Apple Health 深度健康分析 + 双向待办同步

0· 72·0 current·0 all-time
byPygmalion@gzww
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (iCloud, Health, two‑way tasks) match the included scripts (pyicloud, caldav, health_tool, tasks_tool). Requiring an app‑specific password for CalDAV and a full login/session for broader iCloud access is coherent with the stated functionality. HOWEVER the registry metadata declared no required environment variables or primary credential while SKILL.md and multiple scripts explicitly instruct users to provide ICLOUD_APP_PASSWORD, ICLOUD_USERNAME, and the Apple ID main password — this metadata mismatch is a red flag (incoherent packaging).
!
Instruction Scope
SKILL.md contains an 'iron law' that forces the agent to immediately execute local Python commands whenever a user mentions an action or note, without asking confirmation. It also instructs the agent to solicit Apple ID main password and 2FA codes in chat and to set environment variables and cron jobs automatically. These instructions grant broad file/system interaction (writing JSON, installing cron jobs, reading home iCloud Drive paths) and direct secret handling via chat — far beyond a passive helper. The requirement that users paste main passwords / 2FA into the conversation is especially problematic because chat logs persist.
Install Mechanism
No automated installer is declared in the registry, but SKILL.md instructs pip install pyicloud caldav icalendar. Pulling dependencies from PyPI is common and expected for this Python toolset (moderate risk). There is no remote arbitrary binary download in the metadata. Still, the skill will write cron entries and create files (setup_tasks_cron.py / tasks_latest.json / session cache), so disk writes and scheduled persistence are expected and should be reviewed before running on shared systems.
!
Credentials
The skill asks for very sensitive credentials (Apple ID main password and 2FA) even though some features can operate with only an application‑specific password. Requesting the main password is explainable for full iCloud access, but SKILL.md explicitly instructs users to send those secrets in chat (and to set them as environment variables), which is disproportionate and unsafe. The skill also claims passwords 'won't be written to disk' but will create session tokens in ~/.pyicloud/ — accurate but still a persistence of authentication state that must be protected. The registry metadata claiming 'none' for required env vars conflicts with the real credential needs declared in documentation and code.
!
Persistence & Privilege
The skill will persist iCloud session tokens/cookies to ~/.pyicloud/ (normal for pyicloud) and instructs installation of a nightly cron job to push JSON files to iCloud Drive. It is not marked always:true, but the SKILL.md 'iron law' plus automatic cron installation increases the blast radius: the agent is expected to autonomously run commands and keep scheduled tasks on the host. That level of persistence combined with secret handling and automated execution is sensitive and should be limited to a trusted, single‑user machine.
What to consider before installing
What to consider before installing: - Do NOT paste your Apple ID main password or one‑time 2FA codes into chat history. The SKILL.md explicitly encourages that — it's unsafe because chat logs may persist. Prefer local interactive login on a machine you control. - Prefer using an Apple app‑specific password whenever possible (the docs say calendar can work with that alone). If you only need calendar/CalDAV, avoid giving the main password. - Inspect scripts before running: review setup_tasks_cron.py, icloud_auth.py, tasks_tool.py and any code that writes cron entries, uploads files, or calls external endpoints. Only run on a personal, non‑shared machine. - The skill will cache session tokens under ~/.pyicloud/ — protect that directory (permissions) and delete/revoke sessions when you stop using the skill. Revoke app‑specific passwords on appleid.apple.com after testing. - The SKILL.md forces immediate command execution when the user mentions actions; consider disabling or modifying that behavior (require explicit confirmation) before using the skill broadly. - If you must use it: run the code locally (not on a cloud/shared server), create a separate Apple account for testing if possible, and audit the files the skill creates (tasks_latest.json, notes_latest.json) and scheduled cron jobs. Why I'm suspicious: the code matches the claimed capabilities but the runtime instructions ask for sensitive secrets via chat, enforce autonomous immediate execution, and the registry metadata fails to declare those credential requirements — this combination raises significant safety and coherence concerns. If you want, I can highlight the exact lines in scripts that persist sessions or add concrete steps to run the skill safely in a sandboxed/local environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk971535hvkcfz66aqx0q35vrkx841yt4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments