ClawHub

Appointment Manager

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill is mostly aligned with appointment management, but it asks the agent to automatically book real appointments, use personal details, access calendar context, and create future reminder jobs with limited explicit approval boundaries.

Before installing, make sure you are comfortable with the agent booking appointments through websites, storing appointment and location details locally, adding events to Google Calendar if connected, and sending reminders to configured channels. For safety, require the agent to show all booking details and get your explicit approval before it submits any appointment.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation
Medium
What this means

The agent could schedule an appointment or submit personal booking details based on the initial request rather than a final reviewed confirmation.

Why it was flagged

This gives the agent authority to complete real bookings through a browser workflow. Booking is purpose-aligned, but the artifact does not clearly require a final user approval before submitting the appointment.

Skill content
Online booking (handled automatically): Agent uses the browser tool to find and complete the booking. No action required from the user beyond the initial request.
Recommendation

Require explicit confirmation of provider, time, personal details, cancellation policy, and the final submit action before completing any booking.

#ASI03: Identity and Privilege Abuse
Low
What this means

Appointments may be added to the user's calendar and calendar availability may influence booking choices.

Why it was flagged

Calendar access is expected for appointment scheduling, but it uses delegated account context and writes events by default after user opt-in.

Skill content
If Google Calendar is connected: ask if they want appointments added automatically. Default: yes.
Recommendation

Confirm which calendar is used, whether events are private, and whether automatic calendar writes are enabled.

#ASI06: Memory and Context Poisoning
Medium
What this means

Sensitive appointment information, including health-related visits, locations, confirmation details, and reminder delivery targets, may remain in local skill files.

Why it was flagged

The skill stores appointment lifecycle data, provider details, reminder preferences, and delivery settings in persistent local files.

Skill content
appointments.md     all appointments, status, full lifecycle
providers.md        known providers with booking method, contact, notes
config.md           reminder preferences, delivery settings
Recommendation

Review the generated files periodically, avoid storing unnecessary medical details, and add a clear cleanup or retention policy.

#ASI10: Rogue Agents
Low
What this means

The agent may wake later and send appointment reminders containing private details to configured channels.

Why it was flagged

The skill schedules future autonomous agent turns to send reminders. This is disclosed and purpose-aligned, and jobs are marked delete-after-run, but it is still background behavior.

Skill content
For each reminder in the chain, register an isolated cron job... "kind": "agentTurn"... "deleteAfterRun": true... "delivery": { "mode": "announce", "channel": "<CHANNEL>", "to": "<TARGET>" }
Recommendation

Use trusted delivery channels, verify the recipient target, and provide a way to list or cancel scheduled reminder jobs.

#ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Users may not see all runtime dependencies or permissions from the registry metadata alone.

Why it was flagged

The instruction-only skill depends on an external browser capability for its main online-booking workflow, while the supplied install metadata has no install spec and no derived capability tags.

Skill content
compatibility: Requires lobstrkit with Exine browser for online booking.
Recommendation

Document the required browser/calendar/reminder capabilities in registry metadata and ensure users approve them before use.