Taiwan Calendar Plugin
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When invoked, the agent can run the bundled calendar script locally to answer date questions.
The skill runs a local Python script through Bash. This is central to the calendar-query purpose and the commands are documented, but users should expect local code execution via `uv`.
allowed-tools: Bash ... All commands use: `uv run --managed-python scripts/taiwan_calendar.py <command>`
Install only if you are comfortable allowing this scoped Bash command, and keep invocations limited to the documented calendar commands and date formats.
If a fallback network response were tampered with, the user could receive incorrect holiday or working-day information.
The script fetches remote calendar data and conditionally disables TLS certificate verification for non-JSDelivr/GitHub sources. This affects the trustworthiness of fallback data, though it does not expose credentials or mutate user data.
verify_ssl = "jsdelivr" in url or "github" in url response = requests.get(url, timeout=10, verify=verify_ssl)
Prefer verified HTTPS for all data sources, or document the fallback trust tradeoff clearly for users.
Calendar answers may be based on recently cached public data rather than a fresh network response.
The skill persistently caches retrieved calendar data. The cache is disclosed and appears limited to public calendar data, not user secrets or private documents.
Caching ... Location: System temp directory ... File: `taiwan-calendar-cache.json` ... Expiry: 1 hour
This is acceptable for the stated purpose; clear the temp cache if you need to force a fresh calendar fetch.