Back to skill
Skillv1.1.0
ClawScan security
Hackathon Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:44 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and runtime instructions match its described purpose (tracking hackathons, local JSON storage, optional Google Calendar sync); nothing requested or installed appears disproportionate or unrelated.
- Guidance
- This skill appears to do what it says, but review and accept these behaviors before installing: - Data storage: it will create and modify ~/.openclaw/workspace/hackathons.json and may read a workspace HACKATHONS.md file. If you have sensitive data in those files, review them first. - URL fetching: when you provide hackathon URLs the agent will fetch those pages (web_fetch) to extract details — only provide URLs you trust. - Google Calendar: syncing uses the gog CLI (external tool). If you run gcal sync/remove the tool will create or delete events in your Google Calendar using whatever gog is authenticated with — verify gog's auth and permissions. - No secrets are requested by the skill itself, and it does not install remote code, but you can inspect scripts/manager.py locally (it's included) before use. If you want extra caution, run manager.py commands manually rather than letting an agent invoke them autonomously.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, and the included scripts/manager.py are consistent: the tool stores hackathons in ~/.openclaw/workspace/hackathons.json, can import from a HACKATHONS.md, extracts info from provided URLs (via agent web_fetch) and optionally syncs with Google Calendar using the gog CLI. There are no unexpected credentials, cloud APIs, or unrelated binaries requested.
- Instruction Scope
- okSKILL.md instructs the agent to run the local manager.py commands, to use web_fetch to retrieve hackathon pages when a URL is supplied, and to read HACKATHONS.md in the workspace. Those actions are within scope for a hackathon manager. Note: web_fetch will cause the agent to fetch arbitrary URLs you provide; the script also reads/writes local files (~/.openclaw/workspace) as expected.
- Install Mechanism
- okThis is an instruction-only skill with a local Python script and no install spec or downloads. Nothing is pulled from external URLs or installed on demand by the skill itself.
- Credentials
- okThe skill declares no required environment variables or credentials. The code briefly reads/sets ZONEINFO on Windows (to help the gog CLI) and checks USERNAME for a common Windows path — these are minor and proportional to the stated Google Calendar support. It does not request secrets or unrelated tokens.
- Persistence & Privilege
- okalways is false and the skill stores data only under the user's home directory (~/.openclaw/workspace/hackathons.json). It does not modify other skills or system-wide settings. It will invoke the gog CLI if the user asks to sync, which may create/delete calendar events (expected behavior).