Clawlendar
PassAudited by ClawScan on May 1, 2026.
Overview
Clawlendar appears to be a straightforward calendar-conversion skill, with the main caution that setup asks users to install and run an external Python/MCP/API package that is not included in the provided artifacts.
This looks suitable for calendar and timestamp conversion tasks. Before installing, verify that the PyPI/GitHub package is the one you intend to trust, consider pinning the version, and run the optional HTTP/MCP server only on trusted machines or networks.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the package will trust external Python code and dependencies beyond the reviewed skill text.
The setup directs users to install the latest external Python package with all optional extras, while the provided artifact set contains only SKILL.md and no reviewed package code.
python3 -m pip install -U "clawlendar[all]"
Install only from the expected package/source, consider pinning a known version, and review the package repository or dependency list before using it in sensitive environments.
Using the skill as documented may start local processes or a server on the user's machine.
The documentation asks users to run installed package commands, a script, and optionally a Dockerized API server. This is expected for the advertised MCP/HTTP calendar service, but it is still local code execution.
clawlendar ... ./scripts/run_api.sh ... docker run --rm -p 8000:8000 clawlendar:mvp
Run these commands only when you intend to start the calendar service, stop the server when finished, and avoid running it with elevated privileges.
If the HTTP API is exposed broadly, other local or network clients may be able to call the calendar conversion endpoints.
The skill supports MCP and HTTP integration for other tools/agents, but the artifact does not describe authentication or network access controls for the API.
Run HTTP API for multi-claw integration: ... FastAPI endpoints: `GET /capabilities`, `POST /convert`, `POST /timeline`, `POST /astro`, `POST /calendar-month`, `POST /day-profile`
Expose the API only to trusted clients or localhost unless you have added appropriate access controls.