Opys Calendar Skill
WarnAudited by ClawScan on May 10, 2026.
Overview
This looks like a real calendar app, but it stores Google sign-in tokens and ships real-looking calendar/sync data that users should review before use.
Before installing, replace or delete the bundled `calendar.md`, `.tmp-recent-calendar.md`, and `.calendar-google-sync-state.json`. Do not sign in with Google unless you are comfortable with local token storage in `.calendar-sessions.json`, and supervise any delete, import, or sync actions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you sign in with Google, the app can read and modify calendar data and leaves reusable session tokens on disk in the project folder.
The server requests full Google Calendar access and persists OAuth access/refresh token session data to a local JSON file.
const oauthScope = ["openid", "email", "profile", "https://www.googleapis.com/auth/calendar"].join(" "); ... type SessionTokens = { accessToken: string; refreshToken?: string; expiryAt: number; ... }; ... const sessionStorePath = path.join(root, ".calendar-sessions.json"); ... fs.writeFileSync(sessionStorePath, JSON.stringify(data, null, 2));Document `.calendar-sessions.json`, protect or encrypt stored tokens, provide a clear logout/revoke/cleanup path, and consider narrower OAuth scopes where possible.
Users may inherit or expose someone else's sync metadata, and the app may treat stale account-specific mappings as part of its persistent state.
The packaged sync-state file contains a real-looking Google account identifier/email and event ID mappings.
"112837351600268447145:niravsurabhi@gmail.com": { "md_evt_vDmneprY": "26lhq70ge2m2nlm5jtre85l554", ... }Ship without account-specific sync state, or require users to delete/reset `.calendar-google-sync-state.json` before first use.
An agent or Google sync could treat the bundled events as the user's own schedule, causing privacy confusion or accidental syncing of unwanted events.
The source-of-truth calendar file is populated with real-looking personal schedule entries rather than an empty or clearly demo calendar.
- [ ] `evt_Z_1VeBj-` | 2026-02-25 18:10 -> 2026-02-25 18:25 | **Pick up sister** (`life`)
Replace `calendar.md` with a clean template before publishing or installing, and clearly label any sample data as demo-only.
Mistaken agent actions could change or remove calendar entries locally and, when synced, in Google Calendar.
The documented workflows allow an agent/user to delete local events and initiate two-way Google Calendar synchronization.
Delete: `npm run cli -- delete --id <event_id>` ... Click **Sync Now** for two-way merge.
Require explicit user approval for deletes, bulk changes, imports, and Google sync operations.
Recent and upcoming schedule details may be duplicated into another file that agents or local tools can read later.
The skill intentionally writes recent/upcoming calendar context to a persistent file for agent reuse.
Every mutating CLI command writes a rolling markdown snapshot. Default path: `./agent-snapshot.md`. Override with `CALENDAR_AGENT_SNAPSHOT`.
Store snapshots only in a private project location, avoid sharing them unintentionally, and clear them when no longer needed.