Name: calendar-sync Security Report — Trusted | ClawSafe
Item: calendar-sync
Rating: 100
Author: ClawSafe

This report was generated in Chinese. Some content may be in Chinese.

0 /100

calendar-sync

Apple 캘린더 연동 스킬 - 从结构化文档提取日期并注册到日历

日历同步工具，功能实现与文档声明一致，无恶意行为，仅存在无版本锁定的轻微依赖风险

Skill Namecalendar-sync

Duration28.0s

Enginepi

ClawHub Calendar Sync v1.0.0 by parkbeomjun-gkgkgk

📥 21

ClawHub Verdict Suspicious prompt_injection_instructionsvt_suspicious

✓

Safe to install

建议在项目中添加 requirements.txt 并锁定 icalendar>=5.0.0 版本以提升安全性

Findings 1 items

Severity	Finding	Location
Low	依赖无版本锁定 Supply Chain 使用 icalendar 库但未在代码中声明版本要求，可能拉取最新版本引入风险 `from icalendar import Calendar, Event, Alarm` → 添加 requirements.txt: icalendar>=5.0.0	`calendar_sync.py:17`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ_WRITE`	`WRITE`	✓ Aligned	读取 structured_results.json (line 247)，生成 .ics 文件 (line 143)
Shell	`WRITE`	`WRITE`	✓ Aligned	subprocess.run(['osascript', '-e', script]) 仅用于日历注册 (line 218)
Network	`NONE`	`NONE`	—	无任何网络请求

1 findings

🔗

Medium External URL 外部 URL

https://notion.so/...

SKILL.md:65

File Tree

4 files · 20.9 KB · 659 lines

Markdown 3f · 359L Python 1f · 300L

├─ 🐍 calendar_sync.py Python 300L · 10.1 KB

├─ 📝 chatgpt-prompt.md Markdown 86L · 2.5 KB

├─ 📝 SKILL.md Markdown 218L · 6.4 KB

└─ 📝 system-prompt.md Markdown 55L · 1.9 KB

Package	Version	Source	Known Vulns	Notes
`icalendar`	`*`	pip	No	无版本锁定，建议锁定 >=5.0.0

✓ 功能实现与 SKILL.md 声明完全一致

✓ 无 base64/eval 等混淆技术

✓ 无凭证收割或敏感路径访问

✓ 无数据外泄或外部通信

✓ AppleScript 仅用于日历操作（合理范围）

✓ 代码结构清晰，易于审计

✓ 包含输入验证和错误处理