Back to skill
Skillv1.0.1
ClawScan security
Schedule Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 6, 2026, 4:36 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This macOS-only Schedule Manager skill is internally consistent with its stated purpose: it uses osascript and reminders-cli to read and write Calendar/Reminders and optionally read local schedule YAML files for planning.
- Guidance
- This skill appears to do what it says: manipulate Apple Calendar and Reminders via osascript and reminders-cli. Before installing or granting permissions: 1) Confirm you are on macOS (the skill only works there). 2) Review any ~/code/*/planning/schedules/*.yaml files if you don't want project timelines exposed — the skill may scan them if present. 3) Be prepared to grant Calendar and Reminders access to the terminal/agent process (check the process name it requests access for, e.g., Terminal or your agent). 4) reminders-cli is installed via Homebrew; the scripts only suggest standard Homebrew bootstrap commands. If you want to be cautious, run the included scripts (scripts/check_dependencies.sh and scripts/check_permissions.sh) locally to see what the skill would do before enabling it for autonomous use.
Review Dimensions
- Purpose & Capability
- noteThe skill's name and instructions target macOS Calendar and Reminders and require osascript and reminders-cli, which is coherent. Minor inconsistency: registry metadata listed no OS restriction while the description and prerequisites explicitly state macOS-only.
- Instruction Scope
- noteRuntime instructions and included scripts run osascript and reminders-cli (expected). The SKILL.md also specifies an optional scan of local files at ~/code/*/planning/schedules/*.yaml to enrich weekly planning — this is within the skill's stated feature set but does cause the skill to read user project files, which may contain sensitive scheduling/roadmap data. The README also says not to proactively check tools at load time, but shipped scripts exist that do dependency/permission checks (a minor contradiction, not malicious).
- Install Mechanism
- okInstruction-only skill with two helper scripts; no install spec or archived downloads. The only external install guidance is to use Homebrew and a brew formula (reminders-cli). The Homebrew bootstrap command suggested (curl raw.githubusercontent.com) is standard guidance and not an arbitrary download URL.
- Credentials
- noteThe skill requests no environment variables or external credentials (good). It does require Terminal/agent to be granted Calendar and Reminders privacy permissions to function. It also optionally reads local schedule YAMLs under ~/code/* — reasonable for the 'cross-project weekly planning' feature but a privacy consideration: those files may contain sensitive project timelines and should be reviewed before granting access.
- Persistence & Privilege
- okThe skill does not request always:true, does not declare persistent system-wide changes, and does not modify other skills. Permission requests are limited to standard macOS Calendar/Reminders access prompts.