Timezone Security Report — Low Risk | ClawSafe

20 /100

Timezone

Convert times across world timezones and compare availability

A legitimate local logging utility with no malicious behavior, though SKILL.md is misleading about its timezone conversion capability.

Skill NameTimezone

Duration34.1s

Enginepi

✓

Safe to install

The skill is safe to use but SKILL.md should be updated to accurately reflect its logging functionality instead of claiming timezone conversion.

Findings 2 items

Severity	Finding	Location
Medium	SKILL.md claims timezone conversion capability not implemented in code Doc Mismatch SKILL.md describes this as a 'Timezone' tool for 'converting times across world timezones and comparing availability.' However, scripts/script.sh performs zero timezone-related operations. It merely logs arbitrary user input to local .log files. The name 'Timezone' and the described functionality appear to be a misleading wrapper around a simple logging utility. `description: Convert times across world timezones...` → Rename the skill and update SKILL.md to accurately describe the tool as a local command/input logger, or implement actual timezone conversion functionality.	`SKILL.md:1`
Low	User input written to log files without sanitization Sensitive Access The script accepts arbitrary user input via positional arguments and writes it directly to ~/.local/share/timezone/*.log files. If a user passes sensitive data (e.g., passwords, API keys), it will be persisted to disk in plaintext. `echo "$ts\|$input" >> "$DATA_DIR/run.log"` → Add input sanitization or warn users not to pass sensitive data as arguments.	`scripts/script.sh:78`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md 'Data Storage' section declares ~/.local/share/timezone/; script create…
Shell	`NONE`	`NONE`	—	No subprocess, eval, or command execution beyond set -euo pipefail.
Network	`NONE`	`NONE`	—	No curl, wget, or network calls; fully offline per SKILL.md.
Environment	`NONE`	`NONE`	—	Only accesses HOME for DATA_DIR path; no iteration over env vars.
Skill Invoke	`NONE`	`NONE`	—	No skill invocation.
Clipboard	`NONE`	`NONE`	—	No clipboard access.
Browser	`NONE`	`NONE`	—	No browser access.
Database	`NONE`	`NONE`	—	No database access.

3 findings

🔗

Medium External URL 外部 URL

https://bytesagain.com

SKILL.md:6

🔗

Medium External URL 外部 URL

https://bytesagain.com/feedback/

SKILL.md:98

📧

Info Email 邮箱地址

[email protected]

SKILL.md:101

2 files · 14.3 KB · 414 lines

Shell 1f · 313L Markdown 1f · 101L

├─ ▾ 📁 scripts

│ └─ 🔧 script.sh Shell 313L · 10.9 KB

└─ 📝 SKILL.md Markdown 101L · 3.5 KB

✓ No network requests — fully offline operation as declared

✓ No credential harvesting — script does not access ~/.ssh, ~/.aws, .env, or environment variables

✓ No obfuscation — script is readable plain bash with no base64, eval, or anti-analysis tricks

✓ No subprocess calls — script only writes to local files

✓ No supply chain risk — no external dependencies (no package.json, requirements.txt, etc.)

✓ No persistence mechanism — no cron jobs, systemd units, or startup scripts installed