Skillv1.0.0

ClawScan security

workday-calculator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 12, 2026, 2:01 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The package is internally consistent: it is a local Python workday/holiday calculator with no network exfiltration, no credentials requested, and the included scripts match the described functionality.
Guidance: This skill appears to be what it claims: a local Python workday calculator that needs only Python. Before installing or running: (1) review install.sh — it may copy files into /usr/lib or create symlinks (requires root); run it in a safe directory or inspect/modify paths if you don't want system-wide changes; (2) run scripts in an isolated environment (virtualenv or container) if you have security concerns; (3) be aware example_usage.py executes shell commands (subprocess with shell=True) for demos — only run it if you trust the included command strings; (4) if you plan to use update_holidays.py, note it reads and prints code from workday_calculator.py and can generate code snippets to paste back into that file. If you want extra assurance, open the files locally and verify they match the provided sources before execution.

Review Dimensions

Purpose & Capability: okName/description (workday calculator for China holidays) aligns with the provided code and docs. The code files implement date calculations, holiday lists for 2025–2026, an update tool that edits the holiday lists, and example usage — all expected for this purpose.
Instruction Scope: okSKILL.md and the scripts confine behavior to local operations: parsing dates, calculating workdays, exporting JSON, and interactively updating holiday lists. update_holidays.py reads the main script to extract holiday arrays (expected for an update helper). No instructions to read unrelated system config, environment secrets, or to transmit data to external endpoints are present.
Install Mechanism: noteNo formal install spec in the registry (instruction-only), but an install.sh is included. install.sh copies script files into a chosen install directory and may place them under /usr/lib or ~/.openclaw if those paths exist; it also makes scripts executable. This is reasonable for a local script installer but means files may be written to system locations if run with sufficient privileges — review before running as root.
Credentials: okThe skill declares no required environment variables, no credentials, and does not access secrets. package.json lists engine minimums but no dependencies. The environment access requested is proportional to the stated functionality.
Persistence & Privilege: notealways:false and normal autonomous invocation. The install script can create files under ~/.openclaw or /usr/lib and suggests creating a symlink under /usr/local/bin (requires sudo). This is expected for command-line tools but means installation may modify local filesystem locations; it does not modify other skills or request persistent platform-wide privileges.