Claw Calendar Skill

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward calendar API helper that uses a user-provided Claw Calendar API key to list and create calendars and events.

Install only if you want the agent to manage your Claw Calendar data. Keep the API key private, leave CLAW_CALENDAR_API_URL unset unless you trust the replacement endpoint, and review calendar IDs, event details, reminders, and returned subscription links before using or sharing them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Low

Confidence: 77% confidence
Finding: Allowing the Bash tool gives the skill broader execution power than is necessary for a calendar REST API wrapper, increasing the attack surface if the skill is invoked with adversarial input or later modified unsafely. Even though the current documentation only describes API operations, unnecessary shell access can enable command execution, file access, and chaining with environment secrets.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal