Clawlendar
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the package will trust external Python code and dependencies beyond the reviewed skill text.
The setup directs users to install the latest external Python package with all optional extras, while the provided artifact set contains only SKILL.md and no reviewed package code.
python3 -m pip install -U "clawlendar[all]"
Install only from the expected package/source, consider pinning a known version, and review the package repository or dependency list before using it in sensitive environments.
Using the skill as documented may start local processes or a server on the user's machine.
The documentation asks users to run installed package commands, a script, and optionally a Dockerized API server. This is expected for the advertised MCP/HTTP calendar service, but it is still local code execution.
clawlendar ... ./scripts/run_api.sh ... docker run --rm -p 8000:8000 clawlendar:mvp
Run these commands only when you intend to start the calendar service, stop the server when finished, and avoid running it with elevated privileges.
If the HTTP API is exposed broadly, other local or network clients may be able to call the calendar conversion endpoints.
The skill supports MCP and HTTP integration for other tools/agents, but the artifact does not describe authentication or network access controls for the API.
Run HTTP API for multi-claw integration: ... FastAPI endpoints: `GET /capabilities`, `POST /convert`, `POST /timeline`, `POST /astro`, `POST /calendar-month`, `POST /day-profile`
Expose the API only to trusted clients or localhost unless you have added appropriate access controls.