ClawHub

Lunar Calendar

Security checks across malware telemetry and agentic risk

Overview

This skill has a plausible calendar purpose, but the bundle also contains unrelated GitHub publishing, token-handling, packaging, and community-promotion workflows that go beyond a lunar calendar tool.

Review before installing. Do not run LAUNCH_NOW.sh, github_auto_setup.sh, scripts/create_github_repo.sh, or scripts/publish.sh unless you intentionally want to publish this project and have audited the target repository and token handling. Do not provide a GitHub token to this bundle. Treat almanac and solar-term results as non-authoritative unless the implementation is replaced or validated, and prefer a cleaned package containing only the calculator, references, and clearly scoped install instructions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (41)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares itself as a deterministic calendar query tool, yet the static analysis reports shell and file-write capabilities without corresponding permission declarations. Undeclared execution and write capabilities create a hidden trust boundary: a seemingly harmless date-conversion skill could invoke local commands or modify files, increasing the risk of unauthorized side effects or abuse.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
This is a severe description-behavior mismatch: the skill presents itself as a lunar calendar utility, but the reported behavior includes Git configuration changes, repository initialization, GitHub API usage, token-backed pushes, packaging, and release automation. Disguising code publication and remote exfiltration capabilities as a calendar tool is highly dangerous because users and orchestration systems may grant trust or activate it in benign contexts while it performs unrelated, high-impact actions.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file is materially unrelated to the declared lunar-calendar skill and instead provides step-by-step instructions for posting promotional content to an external community site. This expands the skill's effective behavior from calendrical computation into marketing, account-driven web actions, and user-engagement workflows, creating a strong scope mismatch that could be abused for unauthorized promotion or spam under the guise of the skill.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The instructions direct external community interaction, link sharing, discussion management, feedback collection, and traffic monitoring, none of which are necessary for lunar date conversion or almanac queries. In an agent context, these instructions could steer the system toward performing reputation-building or promotional actions on third-party platforms, increasing the risk of spam, unwanted outreach, or misuse of authenticated sessions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The checklist contains explicit operational steps for publishing to GitHub and promoting in a community, which goes beyond the declared skill scope of lunar-calendar querying and date conversion. In an agent context, such out-of-scope instructions can drive unintended external actions, repository publication, and community posting if the skill is auto-activated, increasing the risk of unauthorized exfiltration or misuse of the hosting environment.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The document rebrands the skill as a '农历生日提醒系统' rather than the manifest-declared lunar calendar query tool, indicating scope drift and possible hidden functionality or operator confusion. In security-sensitive agent ecosystems, mismatched identity between manifest and bundled docs can mask unexpected capabilities and make it easier for broader action-oriented instructions to appear legitimate.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file instructs users to create and publish a GitHub repository for a separate lunar-birthday-reminder project, which is unrelated to the declared purpose of a lunar calendar query/conversion skill. In skill ecosystems, hidden or unjustified operational instructions are dangerous because they can induce users or agents to perform repository creation and code publication actions outside expected scope, increasing the risk of unauthorized data exposure or supply-chain abuse.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The documented workflow includes running a script, adding a remote, pushing code, and creating a GitHub release, which are code publication and release-management actions unrelated to the stated calendar-conversion purpose. Such instructions materially expand the skill's operational capability and could be abused to publish unintended code, overwrite repository state, or facilitate unauthorized release activity.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This script performs repository initialization, commits, tagging, and packaging, which is unrelated to a lunar calendar query skill and indicates hidden operational behavior beyond the declared capability. In an agent-skill context, mismatched functionality is dangerous because it can manipulate a user's workspace, publish project contents, and prepare data for exfiltration or distribution without being necessary for the advertised task.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Repository publishing and packaging capabilities are unjustified for a calendar lookup tool and materially increase the attack surface. Even though the script stops short of automatically pushing, it stages all files, creates commits and tags, and writes a tarball, which can expose sensitive local contents and mislead operators into publishing unrelated data.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The file advertises itself as a GitHub upload tool for a different project ('农历生日提醒系统'), which contradicts the manifest for a lunar calendar query tool and is a strong indicator of repurposed or deceptive content. This context mismatch makes the skill more dangerous because users and reviewers may trust it for benign date calculations while it contains unrelated repository-manipulation behavior.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The document claims meaningful current functionality while simultaneously admitting several core advertised capabilities, including 节气计算 and 黄历宜忌, are still unverified or not yet implemented. In a skill that may be force-activated for date and calendrical decisions, this mismatch can mislead users and downstream agents into trusting outputs beyond the system's validated scope.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file explicitly says the system is currently only a reference version based largely on third-party libraries and still awaiting authoritative verification, which conflicts with the skill metadata's stronger claims of professional, precise functionality. This is dangerous because users may rely on unverified calendar conversions or auspicious-date information for culturally significant or scheduling-sensitive decisions.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file's behavior is unrelated to the declared lunar-calendar functionality and instead creates and publishes a GitHub repository. This capability mismatch is a strong indicator of deceptive or unauthorized behavior, especially because it performs networked code-publishing actions that a calendar-query skill does not need.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script requires a GitHub token and uses it to create a repository and push code, which is unjustified for a lunar calendar tool. Access to authentication material plus outbound publishing creates a clear risk of unauthorized account actions and source exfiltration under the user's identity.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata promises professional-grade lunar/solar calendar conversion, leap-month handling, almanac recommendations, and precise solar terms, but the implementation uses obvious placeholder logic: Gregorian month/day remapped modulo 12/30 and fixed month-day solar terms. In a calendar skill, incorrect date conversion is the core security/trust issue because downstream agents or users may rely on it for decision-making while believing it is authoritative.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The file-level documentation presents the tool as providing lunar calendar query functionality, while the code itself acknowledges it is simplified and not a real lunar algorithm. This mismatch can mislead integrators into treating outputs as accurate, increasing the chance of incorrect automation or user guidance.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This script generates and encourages use of a helper that creates GitHub repositories and publishes local code, which is unrelated to the declared lunar-calendar functionality. In an agent skill, unrelated release automation expands the attack surface and can be abused to exfiltrate project contents or push code to an attacker-controlled workflow under the guise of normal operation.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The generated helper performs network calls to the GitHub API and executes git publishing actions despite having no connection to lunar calendar querying. This capability enables outbound transmission and remote code publication from the local environment, which is especially risky when embedded in a skill users may trust for a completely different purpose.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The script presents hardcoded mappings and fallback strings as if they demonstrate real lunar-calendar conversion, while the surrounding metadata and output imply professional or precise capabilities. This is dangerous because downstream agents or users may rely on inaccurate calendrical results for date-sensitive cultural, personal, or business decisions, creating integrity and trust risks.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The script claims support for Huangli/auspiciousness querying in its output, but no such logic or data source exists in the code. In an agent-skill context, this can mislead orchestration systems or users into believing a sensitive traditional-calendar advisory feature is available when it is not, resulting in fabricated or absent results being trusted as authoritative.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata promises highly precise solar-term results, but the implementation uses hard-coded month-day values and explicitly labels them as approximate. In a calendar/almanac skill where users may rely on exact traditional date calculations, this is a deceptive capability mismatch that can mislead downstream decisions and cause materially incorrect outputs.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code returns static placeholder '宜/忌' data for every date while the skill description advertises professional almanac queries. This can systematically produce false guidance while appearing authoritative, which is especially risky because the skill is designed to be force-activated for related user requests.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The CLI describes itself as a 'production-grade stable' engine even though several core paths are explicitly simplified or approximate. This overstatement increases user trust in inaccurate results and compounds the risk created by the misleading feature claims elsewhere in the file.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The generated installer invokes `python3 -m pip install` to fetch packages from the network during installation, which expands the skill's capability beyond calendar queries into package management. This introduces supply-chain risk because installation depends on external package sources at install time, and users may run the script with little visibility into what is fetched.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal