ics to exchange-blocker
v1.0.0Sync any ICS/iCal calendar to Microsoft Exchange as blocked time slots — supports recurring events, change detection, and privacy-preserving sync
⭐ 0· 81·0 current·0 all-time
by@blucaru
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, required binaries (python3), required env vars (ICS URL + Azure client/tenant IDs), and the files (Python code + installer) are all consistent with a macOS tool that reads an ICS feed and writes events to Microsoft Graph.
Instruction Scope
SKILL.md and the code limit behavior to fetching an HTTPS ICS feed, computing time slots, and creating/updating/deleting 'Blocked' events on Microsoft Graph. It runs a local browser-based OAuth flow (opens browser and listens on 127.0.0.1:8400) and writes local state under ~/.calintegration. Minor mismatches: the code reads an additional env var CALINT_GOOGLE_ICS_URL as a fallback (not declared in metadata), and the installer suggests installing a launchd job for periodic sync — both are reasonable but worth noting to users.
Install Mechanism
There is no packaged installer declared to the registry, but the included install.sh creates a Python venv and runs pip install -r requirements.txt (public PyPI packages). This is a standard, low-to-moderate-risk install mechanism (no downloads from unknown servers, no extracted archives from arbitrary URLs).
Credentials
Requested environment variables (CALINT_ICS_URL, CALINT_MS_CLIENT_ID, CALINT_MS_TENANT_ID) are appropriate for this functionality. The code also accepts CALINT_GOOGLE_ICS_URL as an undocumented fallback, which is minor but should be documented. Tokens and state are stored locally under ~/.calintegration with restrictive permissions as advertised.
Persistence & Privilege
The skill does not request elevated or global agent privileges. It can optionally install a macOS launchd plist to run every 5 minutes (installer gives instructions) — this is a user action and not forced by the skill metadata (always:false). Files and tokens are stored only in the user's home directory.
Assessment
This skill appears to do what it says, but check the following before installing:
- Only add ICS feed URLs you trust: the feed may contain private information or a secret token in the URL. The tool reads that URL and will push 'busy' events to your Exchange account.
- The Azure app needs Calendars.ReadWrite delegated permission; you must register it and sign in interactively (the tool opens a browser and runs a local HTTP listener for the OAuth redirect).
- Install creates ~/.calintegration and stores .env and ms_token.json there with chmod 600; verify you’re comfortable with local storage and the path.
- The installer proposes creating a launchd job to run every 5 minutes — do not install the plist if you do not want periodic background sync.
- Note: the code also checks CALINT_GOOGLE_ICS_URL as a fallback for the ICS feed (this env var is not listed in the registry metadata) — if you use environment variables, be aware of this extra name.
If you want extra assurance, review the included Python files locally (they are bundled) and run setup manually rather than enabling the launchd job immediately.Like a lobster shell, security has layers — review code before you run it.
latestvk9760cf5zdwtbrs2raf2h8nvw183dhyq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
OSmacOS
Binspython3
EnvCALINT_ICS_URL, CALINT_MS_CLIENT_ID, CALINT_MS_TENANT_ID
Config~/.calintegration/.env
Primary envCALINT_ICS_URL