Taiwan Calendar Plugin
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears purpose-aligned: it runs a local Python helper to fetch public Taiwan calendar data, with minor review notes for Bash/uv execution, remote data trust, and a temp cache.
This looks safe for its stated purpose if you are comfortable with a skill that runs a local Python script via Bash, may use `uv` to manage Python dependencies, fetches public calendar data from remote sources, and stores a short-lived temp cache. No credential use, broad local file access, or destructive behavior is evidenced.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When invoked, the agent can run the bundled calendar script locally to answer date questions.
The skill runs a local Python script through Bash. This is central to the calendar-query purpose and the commands are documented, but users should expect local code execution via `uv`.
allowed-tools: Bash ... All commands use: `uv run --managed-python scripts/taiwan_calendar.py <command>`
Install only if you are comfortable allowing this scoped Bash command, and keep invocations limited to the documented calendar commands and date formats.
If a fallback network response were tampered with, the user could receive incorrect holiday or working-day information.
The script fetches remote calendar data and conditionally disables TLS certificate verification for non-JSDelivr/GitHub sources. This affects the trustworthiness of fallback data, though it does not expose credentials or mutate user data.
verify_ssl = "jsdelivr" in url or "github" in url response = requests.get(url, timeout=10, verify=verify_ssl)
Prefer verified HTTPS for all data sources, or document the fallback trust tradeoff clearly for users.
Calendar answers may be based on recently cached public data rather than a fresh network response.
The skill persistently caches retrieved calendar data. The cache is disclosed and appears limited to public calendar data, not user secrets or private documents.
Caching ... Location: System temp directory ... File: `taiwan-calendar-cache.json` ... Expiry: 1 hour
This is acceptable for the stated purpose; clear the temp cache if you need to force a fresh calendar fetch.