Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Student Timetable
v0.1.0-alpha.4Student timetable manager for self or parent-managed child profiles. Includes init flow + profile registry under schedules/profiles/.
⭐ 2· 730·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (student timetable manager) matches the code and runtime instructions: CLI commands for init, day/week queries, profile registry, and migration utilities. Files implement profile registry, schedule resolution, migrations, and a CLI. No unrelated capabilities (cloud credentials, system config access, or package installs) are requested.
Instruction Scope
SKILL.md instructs only to run the local CLI (init, today, tomorrow, this_week, next_week). The code does file I/O under schedules/profiles/ and schedules/backups/, which is coherent. One caveat: academic_calendar_import.js calls web_search/web_fetch (via skill_runtime.js) to fetch calendar pages — that functionality is not surfaced in SKILL.md/README CLI usage, so there exists code that can fetch external URLs. Also interactiveInit uses readline and will prompt for input and write files; running non-interactively may hang. Review skill_runtime.js and tool.js to confirm how/when web_fetch and any network calls are invoked.
Install Mechanism
No install spec is provided (instruction-only). There are no downloads or package installs declared. The skill is simply a set of Node.js files that operate on the workspace when executed — lower install risk. Running the scripts requires Node.js on the host, which is expected for this project.
Credentials
The skill requests no environment variables, no credentials, and no config paths beyond its own workspace files. All required access is limited to writing/reading files under the 'schedules' workspace area, which is proportionate to the stated purpose.
Persistence & Privilege
The skill does not request permanent/invisible presence (always is false). Its operations create and modify files under schedules/profiles/ and schedules/backups/ within the workspace. It does not modify other skills' configs or system-wide settings based on the provided sources.
Assessment
This skill appears to be what it says: a local timetable manager that reads and writes JSON under schedules/profiles/. Before installing or running it, consider:
- Review skill_runtime.js and tool.js (they were present but not shown here) to confirm when web_fetch/web_search are used and what endpoints they contact. academic_calendar_import.js contains code to fetch remote pages — if you will allow network access, verify its behavior and allowed domains.
- The init flow is interactive (readline) and will create files in schedules/profiles/ and schedules/backups/. Back up any existing schedules directory before running migrations or init.
- Because the source/homepage are unknown, exercise caution: run in an isolated workspace or sandbox rather than a production/user-data directory until you've audited the entire code (especially skill_runtime.js and tool.js).
- If you plan to let an autonomous agent invoke this skill, be aware it can read and write schedule files and potentially perform network fetches (see above). If you want to avoid interactive prompts or unintended network activity, run CLI commands manually after review.
If you want, provide the contents of skill_runtime.js and tool.js and I can inspect them specifically for network calls, obfuscated code, or other risks—that would raise confidence from 'medium' to 'high'.Like a lobster shell, security has layers — review code before you run it.
latestvk9702mn40z5enrkthpr8sd8akx81f14w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.