Is hehuibiao/lunar-calendar safe?

https://github.com/openclaw/skills/tree/main/skills/hehuibiao/lunar-calendar

79
CAUTION

This skill provides a legitimate Chinese lunar calendar function but was packaged directly from a developer's working directory, resulting in a bloated archive containing shell scripts capable of creating GitHub repositories and pushing code using access tokens, a LAUNCH_NOW.sh file with unknown content, and a provenance inconsistency (skill slug 'hehuibiao' vs INSTALL.md pointing to 'xiamuciqing'). No canary files were accessed, no unexpected network connections occurred during install, and SKILL.md itself contains no overtly malicious prompt injection — but the bundled shell scripts and the unknown LAUNCH_NOW.sh content represent an elevated risk surface requiring investigation before deployment.

Category Scores

Prompt Injection 87/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 50/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (10)

HIGH LAUNCH_NOW.sh Present with Unknown Content -20

A file named LAUNCH_NOW.sh exists in the skill root directory. The name is an imperative command strongly suggesting it was designed to be executed directly. The audit process read its content (confirmed by auditd execve at timestamp 1771926127.988) but the content is not present in the evidence provided, making it impossible to determine what the script does. In a deployed skill where an agent has shell tool access, it could be instructed or manipulated into running this file.

HIGH github_auto_setup.sh Creates GitHub Repos and Pushes Code Using GITHUB_TOKEN -15

The file github_auto_setup.sh (generated by create_github_repo.sh and also present as a standalone file) uses $GITHUB_TOKEN to call the GitHub API to create a new repository and then push all local code to it. It hardcodes the target username as 'xiamuciqing'. If an agent runs this script with a user's GITHUB_TOKEN in the environment, it would create a public GitHub repository and push potentially sensitive content to it.

MEDIUM GITHUB_TOKEN Stored in Plaintext via Git Remote URL Pattern -12

github_auto_setup.sh adds a git remote using the pattern https://$[email protected]/... This causes git to store the token in plaintext in .git/config, where it is visible to any process that reads the config file. It is also visible in process argument lists during execution. This is a well-known credential exposure antipattern.

MEDIUM Username Mismatch Between Skill Slug and INSTALL.md -15

The skill is published under the path hehuibiao/lunar-calendar, implying the author is 'hehuibiao'. However, INSTALL.md consistently references a GitHub repository owned by 'xiamuciqing' (https://github.com/xiamuciqing/lunar-birthday-reminder) for downloads, updates, and issue tracking. This inconsistency raises questions about authorship, whether the skill was submitted with permission, and whether the external download URL is controlled by the same party.

MEDIUM External Python Package Dependencies Introduce Supply Chain Risk -10

The skill's core computation script (lunar_calculator.py) imports from lunardate and cnlunar. The skill itself does not bundle these packages and requires them to be pre-installed via pip. These packages are not audited as part of this review. A compromised version of either package on PyPI would execute within the agent's Python environment whenever the skill invokes lunar_calculator.py.

MEDIUM Package Shipped Directly from Developer Working Directory -10

The skill package contains 4 timestamped validation JSON files from the author's development session (all dated 2026-02-13), multiple GitHub workflow guides, ClawhHub community post drafts, release notes, a final checklist, and a final report — none of which are referenced by SKILL.md or needed for operation. This indicates the entire developer working directory was uploaded as the skill package, increasing the attack surface and obscuring what the skill actually needs.

MEDIUM INSTALL.md References External Download URL from Unverified Repository -8

INSTALL.md instructs users to download a tar.gz release from a GitHub repository owned by 'xiamuciqing', which is not the same user associated with the skill slug. This externally-hosted archive is not audited and could contain different or additional code beyond what is in the skill package.

LOW Authority Escalation via XML Priority Framing -5

SKILL.md uses a (highest priority) XML tag to assert its instruction should override other considerations. While the instruction itself is benign (use the calculator script rather than in-context computation), this priority-escalation pattern is a prompt injection technique that could mask more harmful instructions in other contexts. The skill also uses bold markdown (不得) and repeated prohibitions to reinforce the authority claim.

LOW publish.sh Creates Files and Archives Outside Skill Directory -5

The publish.sh script creates a release staging directory at ../lunar-calendar-release and compresses it into ../lunar-birthday-reminder-v1.0.0.tar.gz — both paths resolve outside the skill directory. While this script is a developer utility not referenced by SKILL.md, its presence means an agent assisting with 'publishing' could write files outside the expected working directory.

INFO Network Activity Consistent with Expected Install 0

All observed network connections are attributable to the git sparse-checkout (GitHub at 140.82.114.3:443), Ubuntu system infrastructure (Canonical/Ubuntu at 91.189.91.48 and 185.125.188.x), GNOME session startup (Firefox, D-Bus, etc.), and the pre-existing SSH session. No connections to unexpected third-party endpoints were observed during the skill install window. Connection diff shows no new persistent outbound connections post-install.