by 安全扫描
OpenClaw
安全
high confidenceThe package appears to do what it says: local appointment management with optional Google Calendar sync; code, files, and instructions are coherent with the stated purpose, with only minor packaging/installation mismatches to note.
评估建议
This package appears to implement an on-disk Node-based appointment scheduler. Before installing or running: 1) Note the registry entry omitted an install spec even though package.json exists — run npm install only in a trusted environment and inspect package-lock.json (it references chrono-node and googleapis). 2) If you enable calendar sync, you'll need to place OAuth credentials/tokens in ~/.secrets — treat those files as sensitive. 3) The scripts read/write data under ~/.openclaw and ~/.secr...详细分析 ▾
✓ 用途与能力
Name/description match the included scripts and README: booking, conflict detection, reminders, no-show tracking, waitlist, and calendar sync are implemented. The Google Calendar OAuth flow is documented and the code expects OAuth credential/token files in ~/.secrets, which is appropriate for calendar integration.
✓ 指令范围
SKILL.md and README instruct running local Node scripts that read/write data under the user's home (~/.openclaw/workspace and ~/.secrets). The runtime instructions do not ask the agent to read unrelated system files, contact unknown endpoints, or exfiltrate arbitrary data. Reminder outputs are printed as JSON for the host agent to hand to a message tool (as documented).
ℹ 安装机制
Registry metadata lists no install spec (instruction-only), but the bundle includes code and a package.json; README instructs running npm install in the scripts directory. That means installing npm packages (chrono-node, googleapis) from the public registry is required to use the scripts — moderate risk relative to an instruction-only skill but not unexpected for a Node-based tool. No downloads from untrusted URLs or extract steps were observed.
ℹ 凭证需求
The skill declares no required env vars, which is accurate, but it expects and documents local credential/config files (e.g., ~/.secrets/google-calendar-credentials.json and ~/.secrets/google-calendar-token.json, plus ~/.openclaw workspace config and data). Those file accesses are proportional to calendar sync and local data storage, but users should be aware Google OAuth credentials/tokens will be read from the home directory if calendar sync is enabled.
✓ 持久化与权限
Skill does not request elevated privileges and does not set always:true. It writes its own config and data under ~/.openclaw/workspace and saves tokens under ~/.secrets — behaviour consistent with a local scheduler. It does not modify other skills or system-wide agent configurations.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/18
Initial publish
● 可疑
安装命令 点击复制
官方npx clawhub@latest install appointment-scheduler
镜像加速npx clawhub@latest install appointment-scheduler --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制