cn-calendar
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: cn-calendar Version: 1.0.0 The skill implements a self-modifying code pattern where the AI agent is instructed to fetch external data from GitHub (NateScarlet/holiday-cn) or the Chinese Tax Bureau and then programmatically rewrite its own Python logic (workday_query.py) and local reference files. While this behavior is aligned with the stated purpose of caching holiday and tax data, the practice of an agent modifying its own executable scripts based on remote content presents a significant risk of code injection or RCE if the external sources are compromised. No evidence of intentional malice, backdoors, or data exfiltration was found in the provided files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the upstream public data is stale or wrong, the skill could give incorrect holiday or workday answers.
For years not locally covered, the skill relies on a GitHub-hosted public dataset that indexes official notices. This is disclosed and purpose-aligned, but it is still a third-party data supply path.
web_fetch: https://raw.githubusercontent.com/NateScarlet/holiday-cn/master/YYYY.json
For compliance-sensitive uses, verify future-year holiday data against the official gov.cn notice or pin/record the exact upstream source used.
A future-year query may change local skill files so later answers use the newly saved data.
The skill instructs the agent to write generated calendar data, modify its own query script, and execute a local Python test. The behavior is disclosed and scoped to the skill's own files.
直接用 `write` 工具写入:`~/.openclaw/skills/cn-calendar/references/holidays-YYYY.md` ... 将新年份的假期和调休数据 ... 追加到 `workday_query.py` ... 用 `exec` 运行一条简单测试
Review or confirm future-year updates when accuracy matters, and keep modifications limited to the skill's own references and data blocks.