扫描报告
5 /100
calendar-crab
Google Calendar CLI — list, create, move, and delete events
Clean Google Calendar CLI with legitimate OAuth implementation, no malicious behavior detected.
可以安装
This skill is safe to use. No security concerns identified.
安全发现 1 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Token file write not explicitly declared 文档欺骗 | calendar-crab.js:74 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | READ | READ+WRITE | ✓ 一致 | Reads/writes to ~/.openclaw/secrets for OAuth tokens - necessary for OAuth flow |
| 网络访问 | READ | READ | ✓ 一致 | HTTPS requests only to oauth2.googleapis.com and www.googleapis.com (Google APIs… |
| 命令执行 | NONE | NONE | — | No subprocess, exec, or shell execution detected |
| 环境变量 | READ | READ | ✓ 一致 | Reads CALENDAR_CRAB_SECRETS, CALENDAR_CRAB_TZ, CALENDAR_CRAB_CALENDAR - all decl… |
5 项发现
中危 外部 URL 外部 URL
https://console.cloud.google.com/ README.md:33 提示 邮箱 邮箱地址
[email protected] SKILL.md:31 提示 邮箱 邮箱地址
[email protected] SKILL.md:31 提示 邮箱 邮箱地址
[email protected] calendar-crab.js:176 提示 邮箱 邮箱地址
[email protected] calendar-crab.js:176 目录结构
3 文件 · 15.2 KB · 506 行 JavaScript 1f · 331L
Markdown 2f · 175L
├─
calendar-crab.js
JavaScript
├─
README.md
Markdown
└─
SKILL.md
Markdown
安全亮点
✓ Zero external dependencies - no supply chain risk
✓ Native Node.js https.request used for API calls - no curl/wget
✓ Network requests limited to legitimate Google APIs (oauth2.googleapis.com, www.googleapis.com)
✓ No shell execution, subprocess, or eval() calls
✓ No credential harvesting or exfiltration
✓ No obfuscation or hidden functionality
✓ OAuth implementation follows standard Google OAuth2 flow
✓ Access tokens stored locally in user's secrets directory (~/.openclaw/secrets)