ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

lv-guide-display

v1.0.6

小驴智能日历小助手。支持用户在线查看日历。当用户提到今日日历时触发。

0· 104·0 current·0 all-time
byJavaLearner@javaxujunxuan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description: calendar assistant for viewing calendars online. Declared footprint: instruction-only, no required binaries, no env vars, no install. These requirements are proportionate and consistent with a simple calendar-view helper.
Instruction Scope
The provided SKILL.md snippet is mostly repeated trigger text and contains no explicit commands, endpoints, or credential requests in the visible portion. Because the file is large (45 KB) and the content shown is truncated, there may be additional runtime instructions not visible here. If the missing content instructs the agent to call external endpoints or request calendar credentials, that would need to be reviewed.
Install Mechanism
No install spec and no code files — lowest-risk delivery model (instruction-only). Nothing is written to disk by an install step.
Credentials
The skill declares no required environment variables, no primary credential, and no config paths. That is proportionate for a simple calendar viewer. Be cautious if the full SKILL.md later asks the user to supply calendar API keys or OAuth tokens.
Persistence & Privilege
always is false and model invocation is allowed (default). The skill does not request permanent presence or elevated privileges in the metadata.
Scan Findings in Context
[regex_scanner_no_findings] expected: The static regex scanner found nothing. That is expected for an instruction-only skill with no code files; absence of findings is not proof of safety. The SKILL.md content is large and truncated in the report—manual review is recommended.
Assessment
This skill appears coherent with its stated purpose and is low-risk as delivered (instruction-only, no installs or env vars). Before installing or enabling it for calendar use, manually open and read the full SKILL.md to confirm: (1) it does not ask you to paste calendar API keys, OAuth tokens, or other credentials into chat; (2) it does not call unknown external endpoints or ask the agent to upload your calendar data to third-party servers. The provided SKILL.md in the registry appears noisy and repetitive and was truncated in the report — request the full runtime instructions from the publisher if you need higher assurance. If the skill asks for OAuth credentials, prefer an official OAuth flow (redirect/login) rather than pasting secrets into the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97erzj3e6c261c2tpne8mnev583g32b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments