Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Calendar Reminders (gcalcli + CalDAV)
v0.1.1Provides a config-driven wrapper around gcalcli plus optional CalDAV integration to generate JSON reminder plans for scheduling one-shot OpenClaw reminders.
⭐ 0· 1.8k·12 current·12 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description describe a gcalcli + CalDAV reminder planner and the included Python script and example config implement that. One minor incoherence: the registry metadata claims no required binaries, but SKILL.md and the script clearly expect python3 and gcalcli (and optionally khal/vdirsyncer). This appears to be an omission in metadata rather than malicious behavior.
Instruction Scope
Runtime instructions and the script only read a user config (~/.config/openclaw/calendar.json or path set by OPENCLAW_CALENDAR_CONFIG), optionally read a state file under ~/.local/state, and call gcalcli/khal/vdirsyncer to collect events. The skill does not try to read unrelated system files, request unrelated env vars, or post data to remote endpoints. Subprocess calls use argument lists (no shell=True), which the README notes and the code uses.
Install Mechanism
There is no install spec (instruction-only + included script). Nothing is downloaded or written by an installer in the bundle. Risk is limited to executing the included Python script and whatever user-installed calendar tools (gcalcli/khal/vdirsyncer) do.
Credentials
The skill does not request secrets directly; it relies on local gcalcli OAuth credentials and any CalDAV credentials the user has configured. This is proportionate to its purpose, but users should be aware that gcalcli/khal will use stored OAuth/CalDAV credentials — the skill itself will inherit environment variables and will run external binaries, so ensure those clients' credentials are stored securely and that you point gcalcliPath/khalBin to trusted absolute paths.
Persistence & Privilege
The skill is not always-enabled and does not request elevated privileges. It is intended to be invoked by a cron job or agent run; it may read or write a small state file under the user's home directory (expected behavior to avoid duplicate reminders). It does not attempt to modify other skills or system-wide configuration.
Assessment
This skill appears to do what it says: it reads your calendar tools (gcalcli and optionally khal/vdirsyncer) and emits a JSON plan of one-shot reminders. Before installing/using it: 1) Confirm the registry metadata omission — ensure you have python3, gcalcli (and khal/vdirsyncer if you enable CalDAV) installed and configured. 2) Verify gcalcli/khal are trusted binaries (use absolute paths in config) so the script does not end up executing an unexpected program. 3) Understand that OAuth/CalDAV credentials are handled by those clients — the skill will inherit whatever local credentials they use, so keep those credentials private. 4) Review where the state file will live (default ~/.local/state/openclaw/calendar-reminders-state.json) and who can read/write it. 5) If you wire a cron job to run vdirsyncer, run it as an argv list (no shell string) as advised in the SKILL.md to avoid shell-injection risk. If you want higher assurance, inspect the remainder of the included script (the truncated portion) to confirm it doesn't write unexpected network calls or state outside the declared paths.Like a lobster shell, security has layers — review code before you run it.
latestvk973n30m8q6grdfxg068tn1zjx81ff24
License
MIT-0
Free to use, modify, and redistribute. No attribution required.