gcal-pro - Google Calendar
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a legitimate Google Calendar skill, but it needs local OAuth access and can modify/delete calendar events or send scheduled briefs if you enable those features.
Install only if you are comfortable granting Google Calendar access. Keep client_secret.json and token.json private, confirm event details before approving edits or deletes, and only enable cron or messaging briefs for channels you trust.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If authorized, the skill can read calendar data and, on Pro, create or change calendar events through the user's Google account.
The skill stores a local OAuth token and, for Pro users, requests Google Calendar event read/write authority. This is expected for a calendar integration but grants meaningful account access.
TOKEN_FILE = CONFIG_DIR / "token.json"
SCOPES_PRO = [
"https://www.googleapis.com/auth/calendar.readonly",
"https://www.googleapis.com/auth/calendar.events"
]Only authorize the Google scopes you are comfortable granting, keep token.json private, and revoke access from Google Account permissions or the skill's revoke command if you stop using it.
A mistaken approval or wrong event ID could create, reschedule, or delete real calendar entries.
The skill exposes event mutation and deletion workflows, including a confirmation-bypass flag after approval. The instructions require user confirmation, making this purpose-aligned but sensitive.
Before deleting or significantly modifying an event, ALWAYS confirm with the user: 1. Show event details 2. Ask "Should I delete/reschedule this?" 3. Only proceed with `confirmed=True` or `-y` flag after user confirms
Require the assistant to show the exact event title, time, and ID before approving edits or deletes.
Calendar details could be delivered to Telegram, WhatsApp, or another channel if the user configures that integration.
The optional morning brief can send calendar-derived information through a messaging channel. This is disclosed, but the privacy boundary depends on the user's messaging setup.
**Cron setup example:** - Schedule: 8:00 AM daily - Action: Run `python scripts/gcal_core.py brief` - Delivery: Send output to user's messaging channel
Enable morning briefs only for trusted delivery channels and avoid sending sensitive calendar details to shared chats.
If enabled, the skill may continue reading calendar data and producing briefs on a daily schedule.
The skill supports recurring scheduled execution for daily agenda generation. This is a disclosed feature, not hidden persistence.
### Morning Brief (Pro + Cron) Set up via Clawdbot cron to send daily agenda
Only configure the cron job if you want recurring briefs, and remove the scheduled job when it is no longer needed.
Future dependency versions could differ from what the author tested.
The Python dependencies use lower-bound version constraints rather than exact pins. These packages are expected for Google Calendar access, but installation will pull current compatible versions from the package source.
google-auth>=2.23.0 google-auth-oauthlib>=1.1.0 google-api-python-client>=2.100.0
Install from a trusted Python package index and consider pinning dependency versions in your own environment if reproducibility matters.