ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Chinese Calendar Cn

v5.0.1

中国农历工具。节气查询、生肖年份、黄道吉日、传统节日、天干地支、农历转换。Chinese lunar calendar with solar terms, zodiac, auspicious dates, festivals, and Heavenly Stems.

0· 415·1 current·1 all-time
by@bytesagain1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill description and SKILL.md advertise calendar-specific commands (jieqi, shengxiao, tiangan, jieri, jiri, zhuanhuan, minsu) for lunar-calendar functions and Chinese-language outputs. The only code file (scripts/script.sh) implements a different set of commands (intro, guide, tips, planning, resources, mistakes, examples, faq) that produce generic reference text, largely in English. This is a substantive mismatch: the shipped script does not provide the calendar computation or conversion capabilities the skill claims.
!
Instruction Scope
SKILL.md gives usage examples invoking commands that do not exist in the script (e.g., chinese-calendar-cn jieqi). SKILL.md claims 'All commands output plain-text reference documentation in Chinese', but the script's output is generic documentation content and primarily English. The runtime instructions therefore would lead an agent to call non-existent commands or rely on behavior not present in the executable.
Install Mechanism
There is no install spec (instruction-only style) and the script is just a shell file included in the package. No remote downloads or unusual install steps are present, so there is low installation risk. However, packaging a script without a corresponding install/invocation mapping increases the chance of operational failure (not a security risk per se).
Credentials
The skill requests no environment variables, no credentials, and the script does not read environment variables or system files. There are no indicators of secret access or exfiltration in the files provided.
Persistence & Privilege
The skill does not request elevated persistence (always: false) and does not modify other skills or system-wide settings. Autonomous invocation is allowed by default, which is normal; this is not combined with other red flags like broad credential access.
What to consider before installing
This package appears mispackaged: the SKILL.md and metadata advertise Chinese lunar-calendar features (conversion, zodiac, solar terms) but the included script implements generic reference/help commands and not the advertised calendar commands. Before installing or enabling it: 1) ask the publisher for the correct executable or an updated SKILL.md that matches the script; 2) verify the actual commands and test the script in a sandbox to confirm behavior; 3) note the version mismatches (metadata 5.0.1, SKILL.md 5.0.0, script VERSION=4.0.0) which suggest packaging errors. There is no evidence of malicious behavior or credential access, but the functional inconsistency means the skill likely won't perform as described.

Like a lobster shell, security has layers — review code before you run it.

latestvk9745znxpfcd9wx930pncm0vqs83gb19

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments