Cal.com
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: cal-com Version: 1.0.1 The skill provides a legitimate integration for Cal.com via the Maton API proxy (api.maton.ai). It includes standard API documentation and Python code snippets for managing scheduling resources like bookings and event types. The instructions in SKILL.md specifically include a security requirement for the agent to obtain user approval before performing write operations, and no evidence of data exfiltration or malicious execution was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key or connection is misused, actions could be taken against the connected Cal.com account.
The skill uses a Maton API key and delegated OAuth access to act on a connected Cal.com account. This is expected for the integration, but it is still account-level authority.
All requests require the Maton API key in the Authorization header ... Maton proxies requests to `api.cal.com` and automatically injects your OAuth token.
Keep MATON_API_KEY private, connect only the intended Cal.com account, use the Maton-Connection header when multiple accounts exist, and revoke connections that are no longer needed.
Approved write actions can change bookings, schedules, event types, or related Cal.com configuration.
The skill exposes API operations that can modify scheduling resources, but it also clearly requires user confirmation before writes.
Create and manage event types, bookings, schedules, calendars, and webhooks. ... **All write operations require explicit user approval.**
Before approving any write action, verify the target account, resource, and exact intended change.
Scheduling data, profile details, and booking-related requests may pass through Maton's service.
Cal.com API requests and responses are routed through Maton's gateway rather than directly to Cal.com. This provider-mediated data flow is disclosed and central to the managed OAuth design.
Base URL ... `https://api.maton.ai/cal-com/v2/{resource}` ... Maton proxies requests to `api.cal.com`Use this skill only if you trust Maton as the OAuth/API gateway for your Cal.com account data.