Google Calendar
PassAudited by ClawScan on May 7, 2026.
Overview
The skill appears to do what it says—connect to Google Calendar through Maton—but it needs OAuth/API-key access and can make calendar changes with user approval.
Before installing, make sure you trust Maton with Google Calendar access. Keep MATON_API_KEY and connection URLs private, explicitly approve any create/update/delete action, choose the intended connection when multiple Google accounts are linked, and revoke the connection when you no longer need it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The connected Maton/Google authorization can read and potentially modify calendar resources within the authorized account.
The skill uses a Maton API key and Google OAuth connection to act on the user's Google Calendar account. This is expected for the stated purpose, but it is sensitive delegated account access.
Maton proxies requests to `www.googleapis.com` and automatically injects your OAuth token.
Use only if you trust Maton with Google Calendar access, keep MATON_API_KEY private, specify the intended connection when multiple accounts exist, and revoke unused connections.
If write actions are approved incorrectly, calendar events or related resources could be created, changed, or deleted.
The skill can perform calendar write operations, but the artifact also instructs the agent to get explicit approval first. This is purpose-aligned but still important for users to notice.
**All write operations require explicit user approval.** Before executing any create, update, or delete call, confirm the target resource and intended effect with the user.
Require clear confirmation of the calendar, event details, attendees, time, and intended effect before any create, update, or delete operation.
Calendar event details, availability, and account metadata may transit through Maton as part of normal use.
Calendar API requests and responses are routed through Maton's gateway before reaching Google. This is disclosed and purpose-aligned, but it means calendar data may pass through a third-party service.
https://api.maton.ai/google-calendar/{native-api-path} ... Maton proxies requests to `www.googleapis.com`Install only if you are comfortable with Maton handling Google Calendar requests, and avoid sending highly sensitive calendar details unless necessary.
A compromised or unexpected CLI package would run on the user's machine with their local user privileges.
The documentation suggests installing an external CLI globally. This is user-directed and relevant to the skill, but the installed package itself is outside the supplied artifacts.
npm install -g @maton-ai/cli ... brew install maton-ai/cli/maton
Install the CLI only from trusted Maton sources, verify the package before use, or use direct HTTPS API calls if you do not want to install the CLI.