ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Opys Calendar Skill

v0.1.2

A local markdown-backed calendar with CLI and optional two-way Google Calendar sync.

1· 389·0 current·0 all-time
by@21j3phy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and instructions: the repo provides a CLI, a React UI, an Express API server, and optional two-way Google Calendar sync. The environment variables and local files referenced (calendar.md, snapshot, sync state) are consistent with a local-first calendar with optional Google OAuth.
Instruction Scope
SKILL.md keeps scope focused on reading/writing calendar.md and using the CLI for mutating actions. It also instructs the agent to write a rolling snapshot (default ./agent-snapshot.md) and documents optional Google OAuth env vars. This is expected for an agent-first calendar, but the snapshot and session persistence are effectively data-export operations worth noticing.
Install Mechanism
No install spec is declared (instruction-only from platform perspective), but the package contains normal Node.js code and a package.json with common deps (express, dotenv, fullcalendar, etc.). There are no download-from-URL installs or unusual third-party installers in the repo metadata.
Credentials
Requested environment variables (Google OAuth client id/secret/redirect URI, APP_BASE_URL, PORT, and snapshot config) are proportional to optional Google sync and running the local server. They are optional in package.json. Be aware that supplying GOOGLE_CLIENT_SECRET enables the app to obtain OAuth tokens which the server persists locally.
Persistence & Privilege
The server and CLI persist multiple files to the project root: agent snapshots (agent-snapshot.md by default or as configured by CALENDAR_AGENT_SNAPSHOT), .calendar-google-sync-state.json, and a session store (.calendar-sessions.json). Persisting OAuth tokens and calendar snapshots on disk is expected for this functionality but increases local data exposure and requires filesystem protection.
Assessment
This package is internally consistent with its description, but review and handle sensitive artifacts carefully before installing or running it: 1) Protect Google OAuth credentials (GOOGLE_CLIENT_ID/GOOGLE_CLIENT_SECRET) and only set them if you intend to enable Google sync. 2) The app will persist session tokens and sync mappings to .calendar-sessions.json and .calendar-google-sync-state.json in the project root — these files contain tokens/IDs that should be kept private; consider adding them to .gitignore or removing any seed files shipped in the repo. 3) The agent snapshot (agent-snapshot.md by default) will contain recent and upcoming events and can be pointed to any path via CALENDAR_AGENT_SNAPSHOT — do not set this to a location where sensitive data should not be written. 4) The repo includes dev scripts (Playwright screenshots, etc.) and a full Node app; run npm install only from a trusted environment and inspect the code if you have strict security requirements. 5) If you don't need Google sync, leave OAuth env vars unset to avoid creating persisted tokens. If you want more assurance, ask the author for provenance (homepage/source URL verification) or run the code in an isolated environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fws70q4mrp7kp27kdyj03s981x11p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments