Skylv Schedule Skill
AdvisoryAudited by VirusTotal on Apr 20, 2026.
Overview
Type: OpenClaw Skill Name: skylv-schedule-skill Version: 1.0.1 The skill bundle is a comprehensive calendar management tool for macOS and Windows, utilizing native scripts (calendar.sh) to interact with system APIs like AppleScript and Outlook COM. It follows a well-defined decision tree for platform detection and provides fallback mechanisms to .ics files or Applinks for third-party services like Feishu and DingTalk. The code demonstrates good security practices, such as sanitizing filenames to prevent path traversal and using safe argument passing in osascript to mitigate injection risks. No evidence of malicious intent, data exfiltration, or unauthorized execution was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent matches the wrong event, a calendar item could be changed or deleted with little extra confirmation.
The skill can perform calendar mutations, including deletion/cancellation, with reduced confirmation. This is expected for a calendar skill, but it directly changes user data.
减少确认 — 取消类操作直接做;修改/冲突创建先展示预览
Before using delete or modify requests, give a specific event name and date; ask the agent to preview changes if the event is important.
Third-party calendar integrations may grant the agent access to calendar data through account credentials or OAuth tokens.
Optional Feishu/Lark MCP setup uses app credentials and stores an app secret in a local MCP config file. The document warns about this, and the behavior is related to the calendar integration.
npx -y @larksuiteoapi/lark-mcp login -a <app_id> -s <app_secret> ... app_secret 会以明文存储在 MCP 配置文件中
Only configure third-party integrations you trust, use least-privilege calendar scopes where possible, and protect MCP config files that contain secrets.
Windows calendar commands may fail or require unreviewed replacement code if the missing PowerShell script is not supplied elsewhere.
The instructions reference a Windows helper script, but the provided manifest includes only scripts/calendar.sh and no scripts/calendar.ps1. This is an implementation/provenance gap for Windows behavior.
chcp 65001 >nul && powershell -File {SKILL_DIR}/scripts/calendar.ps1 ...Do not rely on the Windows workflow unless the missing calendar.ps1 file is provided and reviewed.
The agent may keep using a previously selected calendar platform until the stored preference is changed.
The skill persists detected calendar platform preferences in memory so future runs skip detection. This is purpose-aligned, but persistent preferences can affect later behavior.
首次检测成功后,写入记忆:{ "qclaw_calendar_platform": "检测到的平台" }If you switch calendar providers, ask the agent to update or clear the stored calendar platform preference.
A failed automatic calendar operation might be replaced by a fallback such as an .ics file without detailed explanation.
The skill prioritizes hiding technical errors and silently falling back. This may improve usability, but users may not always understand which calendar method was actually used.
不暴露技术错误 — 用户不需要看到任何报错信息,静默切换方式,只说"换了个方式帮你处理~"
For important events, ask the agent to state exactly where the event was created, modified, or deleted.