Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Luma Event Manager
v2.1.1Luma Event Manager for Clawdbot — Discover events by topic or location, RSVP, view guest lists, and sync to Google Calendar. No API key required (web scraping), no Luma Plus subscription needed.
⭐ 0· 2k·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and code files implement web scraping, RSVP, and Google Calendar sync (via the gog CLI) which matches the description. However the registry metadata earlier reported no required binaries or homepage while SKILL.md metadata requires the 'pass' binary and references the 'gog' CLI — those binaries are reasonable for the stated features but their omission from the registry is an inconsistency that reduces trust.
Instruction Scope
Runtime instructions ask the user to export lu.ma session cookies and store them in pass. That gives the skill access to authenticated user sessions (host/guest lists, RSVP). The SKILL.md does not instruct reading any unrelated system files, but the explicit request to store session cookies in pass is a sensitive operation and could be abused if the skill reads them automatically.
Install Mechanism
There is no registry install spec, but SKILL.md includes an npm install step and the package.json + package-lock.json are present — installing will fetch npm dependencies (moderate risk). No remote binary download or obscure URL is used in the provided instructions, which reduces install risk, but you should inspect package.json dependencies before running npm install.
Credentials
The skill requires sensitive credentials in practice (lu.ma session cookies) and relies on local CLIs ('pass' to store/read cookies, and optionally 'gog' for Google Calendar). The registry metadata lists no required env vars/binaries while SKILL.md requires 'pass' and references 'gog' — this mismatch is troubling because it understates the level of access needed to operate and to be useful.
Persistence & Privilege
The skill is not marked always:true, but disable-model-invocation is not set; that means the model could invoke the skill autonomously. Because the skill accesses session cookies via pass and can perform authenticated actions (view guest lists, RSVP), allowing autonomous invocation without additional safeguards increases the risk of unintended account access.
What to consider before installing
Things to consider before installing:
- Confirm the author/repo (SKILL.md points to a GitHub repo) and review the source code (especially src/scraper.ts, src/rsvp.ts, and package.json) for any network endpoints other than lu.ma and Google.
- Understand that using this skill for authenticated actions requires you to supply lu.ma session cookies; the SKILL.md recommends storing them in pass. Only do this if you trust the code, and prefer temporary credentials or manual, per-use entry if possible.
- Inspect package.json and dependencies before running npm install to ensure no malicious packages will be installed.
- Consider disabling model-initiated invocation of the skill (disableModelInvocation=true) or requiring explicit user prompts before any authenticated action (RSVP, viewing guest lists, syncing calendars).
- Verify that the skill only communicates with lu.ma and Google endpoints; if you find hard-coded external URLs in the code, do not install.
- If you are uncomfortable storing session cookies in pass, refuse providing them and use the skill only in public/discovery mode.
If you want, I can fetch and summarize the package.json and key source files to point out any suspicious network calls or uncommon dependencies.Like a lobster shell, security has layers — review code before you run it.
latestvk975q07jm9es59r79j51cx2rnx807bgd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.