gcal-pro - Google Calendar
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and authenticating can grant the skill access to view calendar data, and in Pro mode to create, edit, or delete events.
The skill persists a Google OAuth token locally and Pro mode requests a Calendar events scope that can read and write calendar events.
TOKEN_FILE = CONFIG_DIR / "token.json" SCOPES_FREE = ["https://www.googleapis.com/auth/calendar.readonly"] SCOPES_PRO = ["https://www.googleapis.com/auth/calendar.readonly", "https://www.googleapis.com/auth/calendar.events"]
Review the Google OAuth consent screen, use read-only access if you do not need Pro features, protect ~/.config/gcal-pro/token.json, and revoke access if you stop using the skill.
A mistaken or premature delete/edit command could alter calendar data.
The skill exposes destructive calendar operations and documents a -y delete flow, while also instructing the agent to confirm with the user first.
**⚠️ CONFIRMATION REQUIRED for destructive actions!** Before deleting or significantly modifying an event, ALWAYS confirm with the user ... python scripts/gcal_core.py delete --id abc123xyz -y
Only allow create, edit, or delete commands after the event details have been shown and you have clearly confirmed the action.
If enabled, the skill may run every day and produce calendar summaries without a fresh prompt each time.
The skill supports a user-configured recurring background task for daily calendar briefs.
Morning Brief (Pro + Cron) Set up via Clawdbot cron to send daily agenda ... Schedule: 8:00 AM daily ... Action: Run `python scripts/gcal_core.py brief`
Enable cron briefs only if you want recurring automation, and periodically review or disable the schedule if no longer needed.
Calendar details may be delivered to a messaging provider or channel you configure.
The skill describes sending calendar brief output through external messaging channels.
Delivery: Send output to user's messaging channel ... **Messaging**: Deliver briefs via Telegram/WhatsApp/etc.
Use only trusted private delivery channels for briefs, and avoid sending sensitive schedule details to shared chats.
Future dependency versions could change behavior or introduce vulnerabilities after installation.
Dependencies are pulled by minimum version ranges rather than pinned exact versions or a lockfile.
google-auth>=2.23.0 google-auth-oauthlib>=1.1.0 google-api-python-client>=2.100.0 python-dateutil>=2.8.2
Install in a virtual environment and consider pinning or locking dependency versions before long-term use.