gcal-pro - Google Calendar
v1.0.0Google Calendar integration for viewing, creating, and managing calendar events. Use when the user asks about their schedule, wants to add/edit/delete events, check availability, or needs a morning brief. Supports natural language like "What's on my calendar tomorrow?" or "Schedule lunch with Alex at noon Friday." Free tier provides read access; Pro tier ($12) adds create/edit/delete and morning briefs.
⭐ 1· 1.5k·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (Google Calendar read/write, morning brief, cron) match the included scripts and docs. The skill asks the user to supply Google OAuth client_secret.json and stores tokens in ~/.config/gcal-pro — which is expected for this purpose. The Pro license checks are local to the skill (no external license service), which fits the described one-time $12 model but is an implementation choice rather than an access inconsistency.
Instruction Scope
SKILL.md instructs only calendar-related operations (list, search, create, update, delete, free/busy, morning brief) and local setup steps. It references integration with Clawdbot messaging/cron but does not instruct reading unrelated system files or network exfiltration. The upgrade prompt points to a placeholder gumroad link and the license activation is performed locally (no Gumroad API calls).
Install Mechanism
This is instruction-only (no remote download/install spec). Dependencies are declared in requirements.txt and are standard Google API client packages on PyPI. No archive downloads or external code hosts are used by the install spec.
Credentials
The skill requests no environment variables and only uses user-supplied OAuth client_secret.json and local token/license files under ~/.config/gcal-pro — appropriate for calendar access. Two practical notes: (1) revoke_credentials uses the requests library but 'requests' is not listed in requirements.txt (runtime error risk), and (2) license activation is a local format check (no server-side verification), so 'Pro' status can be faked by writing license.json locally.
Persistence & Privilege
The skill stores token.json and license.json under its own config directory (~/.config/gcal-pro). It does not request always:true or attempt to modify other skills' configs. Storing OAuth tokens locally is expected for this functionality; the skill sets file permissions where possible.
Assessment
This package appears to do what it claims: manage your Google Calendar after you run the OAuth flow. Before installing: (1) review the code yourself or from a trusted source because the registry source is "unknown"; (2) keep your client_secret.json and token.json private — the skill stores them at ~/.config/gcal-pro; (3) be aware the Pro license check is local (no Gumroad verification) so purchases may be enforced client-side only — verify the payment/activation flow before paying; (4) the revoke command requires the requests package but requirements.txt doesn't list it (you may need to pip install requests); and (5) if you will integrate this with a messaging service or cron, confirm that those integrations require their own credentials and the skill will not magically obtain them. If you don't trust the unknown source, run the scripts in a controlled environment or inspect/modify them before authenticating with your Google account.Like a lobster shell, security has layers — review code before you run it.
latestvk973wqshd44fmcbgwxepknm6vs7zzxs4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.