Taiwan Calendar Plugin
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: taiwan-calendar Version: 0.0.1 The skill bundle is benign. It provides Taiwan calendar information by querying government open data APIs. The `SKILL.md` correctly defines the `Bash` tool usage to execute the Python script with specific arguments, preventing arbitrary shell command injection from user input. The `scripts/taiwan_calendar.py` fetches data from legitimate government sources (cdn.jsdelivr.net/gh/ruyut/TaiwanCalendar, data.ntpc.gov.tw) and caches it in the system's temporary directory. While the script uses `verify=False` for one API source, which is a minor security vulnerability (MITM risk for that specific API call), it is a common workaround for problematic public APIs and does not indicate malicious intent. There is no evidence of data exfiltration, persistence mechanisms, or prompt injection attempts designed to mislead the agent into performing unauthorized actions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When invoked, the agent can run the bundled calendar script locally to answer date questions.
The skill runs a local Python script through Bash. This is central to the calendar-query purpose and the commands are documented, but users should expect local code execution via `uv`.
allowed-tools: Bash ... All commands use: `uv run --managed-python scripts/taiwan_calendar.py <command>`
Install only if you are comfortable allowing this scoped Bash command, and keep invocations limited to the documented calendar commands and date formats.
If a fallback network response were tampered with, the user could receive incorrect holiday or working-day information.
The script fetches remote calendar data and conditionally disables TLS certificate verification for non-JSDelivr/GitHub sources. This affects the trustworthiness of fallback data, though it does not expose credentials or mutate user data.
verify_ssl = "jsdelivr" in url or "github" in url response = requests.get(url, timeout=10, verify=verify_ssl)
Prefer verified HTTPS for all data sources, or document the fallback trust tradeoff clearly for users.
Calendar answers may be based on recently cached public data rather than a fresh network response.
The skill persistently caches retrieved calendar data. The cache is disclosed and appears limited to public calendar data, not user secrets or private documents.
Caching ... Location: System temp directory ... File: `taiwan-calendar-cache.json` ... Expiry: 1 hour
This is acceptable for the stated purpose; clear the temp cache if you need to force a fresh calendar fetch.