ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mac Reminders Agent

v1.4.0

Integrate with macOS Reminders app to check, add, edit, delete, and complete reminders. Supports multiple reminder lists (calendars), priority levels (high/m...

4· 1.9k·3 current·3 all-time
bySwan C@swancho
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description align with code and assets: Node CLI, AppleScript bridge, and a Swift EventKit helper implement listing, adding, editing, deleting, and recurrence for macOS Reminders. Required runtime tools (node, Swift/Xcode CLT, applescript module) match the stated functionality.
Instruction Scope
SKILL.md and cli.js only instruct the agent to read local files (locales, optional meeting-note files) and to invoke local scripts (apple-bridge.js, eventkit-bridge.swift). All runtime actions are limited to local Reminders app access and local parsing; there are no opaque remote endpoints or instructions to exfiltrate data.
Install Mechanism
Install is just 'npm install' in the skill directory and the package pulls the 'applescript' npm package from the public registry (package-lock.json present). No external arbitrary downloads or URL-based installer stages were found.
Credentials
The skill does not request environment variables, credentials, or config paths. It does require the user to grant macOS automation/Reminders permissions (expected and necessary for functionality) and to have Swift available for native recurrence — these are proportionate to the stated purpose.
Persistence & Privilege
The skill does not request elevated platform privileges and 'always' is false. SKILL.md provides examples for creating cron jobs and a LaunchAgent to run the CLI on a schedule; these are optional user actions (not performed automatically) and should be reviewed by the user before enabling to ensure paths and scheduling match their environment.
Assessment
This skill appears to do what it claims: it runs locally on macOS, uses AppleScript and a Swift EventKit helper to access the Reminders app, and has no network exfiltration or secret-requiring behavior. Before installing: - Confirm you are on macOS and comfortable granting Terminal (or whichever host process runs the skill) automation access to Reminders and to allow the Swift helper to access Reminders. macOS will prompt for these permissions. - Review the LaunchAgent/crontab examples before copying them; they run the CLI on a schedule and reference specific node/node paths and filesystem locations that you should adjust to your machine. - If you want extra assurance, inspect reminders/eventkit-bridge.swift and reminders/apple-bridge.js (both included) — they perform local EventKit and AppleScript operations. Note: there are some minor API/implementation details in the Swift helper you can review, but nothing in the repository indicates hidden remote calls or credential collection. - If you do not want scheduled automatic runs, do not install the LaunchAgent/crontab examples. Grant permissions only when you trust the code and intend to use the skill.
cli.js:76
Shell command execution detected (child_process).
reminders/apple-bridge.js:68
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk971ryaabb6gqzryshzm48yykx82vg66

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments