Luma Event Manager
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill’s cookie-based Luma access and optional Google Calendar changes are sensitive but are disclosed and fit the event-management purpose.
Install this only if you are comfortable giving the skill access to your Luma browser session cookies and, optionally, your Google Calendar through gog. Use public search without cookies when possible, and be careful with RSVP and calendar commands because they can change real account data.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent workflow using these stored cookies may be able to access Luma data and perform Luma actions as the user.
The skill relies on browser session cookies to act as the user for authenticated Luma features such as private events, guest lists, and RSVPs.
Copy cookie values: `luma_session`, `luma_user_id` ... `pass insert luma/cookies`
Only configure cookies if you need authenticated features; store them securely, avoid sharing outputs containing private event data, and revoke/logout sessions if you stop using the skill.
A mistaken or overly broad agent instruction could RSVP, cancel, or waitlist the user for an event.
The RSVP feature submits POST requests to Luma using the user's cookies, which can change the user's RSVP state.
method: 'POST', ... body: JSON.stringify(payload)
Use explicit event slugs and RSVP responses, and review any agent plan before letting it submit RSVP changes.
The skill can create events in the selected Google Calendar account when the calendar tool is invoked.
Calendar sync invokes the local gog CLI to create Google Calendar entries. This is disclosed and central to the calendar-sync feature.
const result = await execFileAsync('gog', args, { encoding: 'utf8' });Install and authorize gog only if you want calendar sync, and specify the intended Google account/calendar when multiple accounts are present.
Installation may pull third-party package code needed for scraping.
The skill depends on npm packages for HTML parsing; this is normal for a scraping skill, and a package-lock is present, but users are still relying on the npm dependency chain.
"dependencies": { "cheerio": "^1.2.0" }Install from a trusted source and review the package-lock/dependency updates if reproducibility matters.