Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose (calendar management: add/list/remind/check) matches the CLI examples in SKILL.md. However the skill references a 'clawhub' CLI for runtime actions but does not declare that binary in the registry-level requirements; _meta.json lists 'curl' as a required binary while the top-level registry metadata lists none. This mismatch is unexplained.
Instruction Scope
SKILL.md tells the agent to run local commands (clawhub cal ...). There are no instructions that read unrelated system files or request secrets, but because the agent would execute a local CLI that is not bundled or fully documented here, the runtime behavior (network calls, where calendar data is stored, what credentials the CLI uses) is unclear and could cause unexpected data transmission.
Install Mechanism
This is instruction-only with no install spec. README suggests using 'npx clawhub@latest install calendar-manager' to install, but the skill package itself provides no install artifact or signed release URL. That leaves ambiguity about where the actual implementation lives and what code would be installed when following those instructions.
Credentials
The skill does not request environment variables, credentials, or config paths. That is proportionate to a simple calendar-helper skill — but the lack of declared credentials increases uncertainty about how the underlying CLI authenticates or where data is stored.
Persistence & Privilege
always is false and there is no install-time code in the package that requests persistent agent-level privileges. The skill does not attempt to modify other skills or system settings in the provided materials.
What to consider before installing
This package looks like a thin instruction wrapper around a 'clawhub' CLI but does not include the CLI or a clear, verifiable install source. Before installing or enabling it: 1) Ask the publisher for the authoritative install URL or repository for 'clawhub' and for this calendar-manager implementation; verify the publisher identity. 2) Confirm which binaries the agent will run (clawhub, curl) and where they come from. 3) Verify how calendar data is stored and whether the CLI will send data to remote servers or require credentials (and what those env vars or tokens would be). 4) If you must try it, run in a restricted/sandbox environment and inspect the code that npx would fetch. Because of the mismatched metadata and missing implementation, treat this skill as untrusted until you can validate the CLI and its network/credential behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk97bzt0aap2wbyc9pk6bhrn94n850gmp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.