calendar-scheduling
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a coherent calendar scheduling skill, but it needs calendar OAuth access and can create bookings, so users should install it only if they want an agent managing those calendars.
Before installing, review the calendar OAuth scopes, connect only calendars you want the agent to manage, protect ~/.config/temporal-cortex/credentials.json, and require explicit confirmation before any booking or outbound scheduling proposal.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can create real calendar events or booking requests if authorized.
The skill exposes non-idempotent tools that can create calendar events. This is expected for a scheduling skill, but accidental repeated or unconfirmed calls could affect the user's calendar.
Only `book_slot` and `request_booking` modify external state... calling either tool twice creates two events
Keep the confirmation-before-booking workflow enabled, review attendee/time/calendar details carefully, and avoid retrying booking actions unless the prior attempt clearly failed.
Anyone with access to the configured credentials file or MCP server context may be able to act on the connected calendars within the granted OAuth scopes.
The skill stores and uses OAuth tokens for calendar providers. That credential access is necessary for calendar management but gives the MCP server delegated access to the connected calendars.
`credentials.json` | OAuth tokens for calendar providers | Setup wizard / auth command
Connect only the calendar accounts you intend to manage, review OAuth scopes during setup, protect the credentials file, and revoke provider access if you stop using the skill.
Installing the skill runs and trusts the external MCP server package that handles calendar operations.
The runnable MCP server is installed from an external npm package. It is pinned to a specific version and matches the skill purpose, but installation still depends on the package's provenance.
node | package: @temporal-cortex/cortex-mcp@0.9.1 | creates binaries: cortex-mcp
Install from the expected npm package, verify the listed project/source links if your environment is sensitive, and keep the package version pinned or reviewed before updating.
If Platform Mode is enabled, scheduling identifiers such as emails or Temporal Link slugs may be sent to Temporal Cortex servers.
Optional Platform Mode introduces an external Temporal Cortex API flow for cross-user scheduling. The artifact discloses the boundary and says credentials are not sent, but email or slug identifiers may be shared.
Platform Mode: Three additional tools (`resolve_identity`, `query_public_availability`, `request_booking`) call `api.temporal-cortex.com`... only the email or slug being resolved.
Use Local Mode if you want provider-only calendar access, and enable Platform Mode only when cross-user Temporal Link scheduling is desired.