ClawHub
Back to skill
v0.1.0

Jetlag Planner

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:43 AM.

Analysis

The skill’s purpose is coherent, but it needs review because it uses Google OAuth credentials, stores a persistent token, and can automatically write many Google Calendar events.

GuidanceReview this before installing. If you proceed, use a separate Google OAuth client, understand that it can read and write Google Calendar, protect or delete ~/.oauth-token.json when no longer needed, and run the planner only when you want it to add events.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
README.md
No manual input — it reads your existing flight events and does everything automatically.

**What gets written:** ... writes 14+ events to your Google Calendar with reminders

Automatic calendar writing is central to the stated purpose, but the artifacts make clear that one invocation may create many calendar events without a per-event confirmation step.

User impactRunning the skill may add numerous reminders and planning blocks to the user's calendar.
RecommendationOnly run it when you want calendar changes, and consider adding a preview/confirm mode before event creation.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
package.json
"dependencies": {
  "dotenv": "^16.4.5",
  "googleapis": "^144.0.0",
  "luxon": "^3.5.0",
  "open": "^10.1.0"
}

The Node dependencies are expected for this purpose, but caret version ranges allow newer dependency versions to be installed.

User impactA future npm install could resolve to dependency versions different from the reviewed ones.
RecommendationInstall from a trusted repository and prefer a checked-in lockfile or pinned dependency versions for repeatable installs.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
index.js
const TOKEN_PATH = path.resolve('.oauth-token.json');

const SCOPES = ['https://www.googleapis.com/auth/calendar'];

The code requests the full Google Calendar OAuth scope and stores an OAuth token locally, which grants broad read/write calendar authority that persists across runs.

User impactIf authorized, the skill can access and modify Google Calendar data using the saved token until the token is revoked or deleted.
RecommendationUse a dedicated OAuth client, ensure the saved token file is protected, document the exact Calendar scope at install time, and revoke/delete the token when uninstalling.
Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
README.md
Ask your Claw bot:

> "What is your Google Client ID and Secret from your config?"

The setup instructions tell the user to extract a Google OAuth client secret from the bot's configuration, which is sensitive credential handling outside a clearly declared credential flow.

User impactThe user may disclose or copy configuration secrets from their agent environment into this skill's local .env file.
RecommendationDo not ask the bot to reveal config secrets. Prefer creating a separate Google OAuth desktop client for this skill or using a secure, declared credential handoff.