Skillv1.0.1

ClawScan security

Lunar Reminder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 10, 2026, 3:46 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and instructions are coherent for a lunar-calendar reminder tool: it installs a lunar calendar npm package, reads/writes a local data file, and uses the platform cron commands to schedule reminders.
Guidance: This skill appears to do exactly what it says: use lunar-javascript to convert dates, store reminders in {{skillDir}}/data/events.json, and manage scheduled reminders via openclaw cron. Before installing: (1) verify you trust the npm package version (lunar-javascript) and run a package audit if possible; (2) be aware your reminders are stored locally at the skillDir path — back up if needed; (3) the SKILL.md runs inline node and shell commands that embed event names and other values — ensure the agent or implementation sanitizes user-provided names/values to avoid accidental command injection or malformed cron job names; (4) confirm openclaw cron commands are acceptable in your environment and that the agent has permission to manage cron jobs.

Purpose & Capability: okName/description, declared install (lunar-javascript), and runtime behavior (convert lunar<->solar, store events, create cron jobs) are consistent. Requiring the lunar-javascript package is appropriate for calendar calculations.
Instruction Scope: noteInstructions stay within the stated purpose (managing reminders and conversions). Two minor concerns: (1) runtime uses inline node -e commands and shell cron commands that embed values (YEAR/MONTH/DAY and event names). The SKILL.md does not describe sanitization of user-provided event names or inputs, which could lead to accidental shell/command injection or malformed cron names if inputs contain quotes or special characters. (2) The skill reads/writes {{skillDir}}/data/events.json — expected, but users should know data is stored locally in that path.
Install Mechanism: okInstall spec is an npm package (lunar-javascript) which is proportionate to the stated functionality. This is a common, traceable mechanism; no arbitrary download URLs or extract steps are present.
Credentials: okNo environment variables, credentials, or unrelated config paths are requested. The requests are minimal and appropriate for the task.
Persistence & Privilege: okSkill does not request always: true and will not force inclusion. It writes its own data file and uses platform cron commands to schedule tasks — this is expected behavior for a reminder skill and does not modify other skills or global configs.