ClawAudit verdict
aries-holiday-weekday
The skill appears to be a tool for querying Chinese holiday notices to determine workdays, holidays, and make-up workdays. It seems to be a legitimate utility and does not appear to have any malicious behavior.
โ Flagged for review โ coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis โ not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Findings (2)
Possible hardcoded credential
scripts/query_holiday.py ยท prose ยท downgraded ยท SECRET = "99b2eeecb4f10339
Popular HTTP library โ network access
scripts/query_holiday.py ยท prose ยท downgraded ยท got
Permissions & capabilities
No declared permissions โ minimal attack surface.
Is this flag fair?
Thanks โ recorded.