temporal-cortex
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill is coherently focused on calendar scheduling, but users should be aware it installs an MCP server, stores calendar OAuth tokens, and can create calendar events when confirmed.
This appears appropriate for a calendar scheduling skill. Before installing, be comfortable granting calendar OAuth access, storing tokens locally under ~/.config/temporal-cortex/, installing the pinned npm MCP package, and approving any booking before it is created.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or user confirms the wrong action, it could add unintended meetings to a calendar.
The skill exposes tools that can create real calendar events and are non-idempotent, so accidental repeated calls could create duplicate bookings.
Only `book_slot` and `request_booking` modify external state... both tools create calendar events... calling either tool twice creates two events
Review booking details before approving, and use the skill’s stated check-before-booking and confirmation steps.
Installing and configuring the skill gives it access to connected calendar accounts according to the OAuth permissions granted.
The skill stores and uses OAuth tokens for connected calendar providers, which is expected for scheduling but grants access to calendar account data and actions.
`credentials.json` | OAuth tokens for calendar providers | Setup wizard / auth command
Grant only the calendar accounts and scopes you intend to use, and protect the credentials file.
The behavior of the installed MCP server depends on the npm package matching the documented security model.
The skill installs its MCP server from a remote npm package; the package version is pinned, but the reviewed artifact set does not include the server source code itself.
node | package: @temporal-cortex/cortex-mcp@0.9.1 | creates binaries: cortex-mcp
Install from the pinned package and verify the package/source provenance if you require higher assurance.
If Platform Mode is enabled, some scheduling identifiers may be sent to the Temporal Cortex service.
Optional platform-mode scheduling sends identifiers such as emails or slugs to Temporal Cortex APIs; the artifact states credentials are not included and local mode is the default.
Platform Mode: Three additional tools (`resolve_identity`, `query_public_availability`, `request_booking`) call `api.temporal-cortex.com`... only the email or slug being resolved
Use Local Mode if you want provider-only traffic, and enable Platform Mode only when cross-user Temporal Link scheduling is needed.