📅 Luma Event Manager — 活动发现管理

v2.1.1

无需 API 密钥与 Luma Plus 订阅，即可按话题或地点搜索 Luma 活动、完成 RSVP、查看嘉宾名单，并一键同步至 Google Calendar。

0· 2.1k·1 当前·1 累计

by @mariovallereyes

自动化网络工具

下载技能包

最后更新

2026/4/22

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

可疑

medium confidence

The skill's stated purpose (web-scraping Luma events and optional Google Calendar sync) is plausible, but there are multiple inconsistencies and sensitive operations (reading session cookies from your pass store, npm install, use of gog CLI) that are not fully declared in the registry metadata and could allow remote account access if invoked without care.

评估建议

Things to consider before installing: - Confirm the author/repo (SKILL.md points to a GitHub repo) and review the source code (especially src/scraper.ts, src/rsvp.ts, and package.json) for any network endpoints other than lu.ma and Google. - Understand that using this skill for authenticated actions requires you to supply lu.ma session cookies; the SKILL.md recommends storing them in pass. Only do this if you trust the code, and prefer temporary credentials or manual, per-use entry if possible....

详细分析 ▾

⚠ 用途与能力

The SKILL.md and code files implement web scraping, RSVP, and Google Calendar sync (via the gog CLI) which matches the description. However the registry metadata earlier reported no required binaries or homepage while SKILL.md metadata requires the 'pass' binary and references the 'gog' CLI — those binaries are reasonable for the stated features but their omission from the registry is an inconsistency that reduces trust.

⚠ 指令范围

Runtime instructions ask the user to export lu.ma session cookies and store them in pass. That gives the skill access to authenticated user sessions (host/guest lists, RSVP). The SKILL.md does not instruct reading any unrelated system files, but the explicit request to store session cookies in pass is a sensitive operation and could be abused if the skill reads them automatically.

ℹ 安装机制

There is no registry install spec, but SKILL.md includes an npm install step and the package.json + package-lock.json are present — installing will fetch npm dependencies (moderate risk). No remote binary download or obscure URL is used in the provided instructions, which reduces install risk, but you should inspect package.json dependencies before running npm install.

⚠ 凭证需求

The skill requires sensitive credentials in practice (lu.ma session cookies) and relies on local CLIs ('pass' to store/read cookies, and optionally 'gog' for Google Calendar). The registry metadata lists no required env vars/binaries while SKILL.md requires 'pass' and references 'gog' — this mismatch is troubling because it understates the level of access needed to operate and to be useful.

⚠ 持久化与权限

The skill is not marked always:true, but disable-model-invocation is not set; that means the model could invoke the skill autonomously. Because the skill accesses session cookies via pass and can perform authenticated actions (view guest lists, RSVP), allowing autonomous invocation without additional safeguards increases the risk of unintended account access.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv2.1.12026/1/30

Added repo link to description

● 可疑

安装命令

点击复制

官方npx clawhub@latest install luma-event-manager

镜像加速npx clawhub@latest install luma-event-manager --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库