Caldav
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is coherent for CalDAV/Radicale management, but it does use calendar credentials and can change or delete calendar/server data when invoked.
Install only if you want an agent to manage your CalDAV calendars or Radicale server. Protect CALDAV_PASSWORD and config files, use limited-scope accounts where possible, and review create/update/delete or Radicale admin actions before allowing them to run.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone enabling this skill should expect it to use calendar account credentials and act with whatever calendar permissions those credentials have.
The scripts authenticate to a CalDAV account using local config or environment credentials, which is necessary for the skill but gives the agent delegated access to the user's calendars.
CONFIG_PATHS = [Path.home() / ".config" / "caldav" / "config.json", Path("/etc/caldav/config.json")] ... config["password"] = os.environ["CALDAV_PASSWORD"] ... return DAVClient(... username=config.get("username"), password=config.get("password"))Use a least-privileged calendar account when possible, protect the config file, and remove credentials when the skill is no longer needed.
The agent can create, modify, complete, or delete calendar events, calendars, todos, and some Radicale server state when asked to use these commands.
The documented capabilities include direct mutation and deletion of calendar data and server administration. This matches the skill's purpose, but these actions can have real user impact.
Calendar CRUD operations (create, list, update, delete) ... Event management (create, update, delete, query) ... Todo/task management ... Radicale server configuration and administration
Give precise instructions for changes, review destructive actions, and avoid using --force unless you are sure the target is correct.
Using Radicale admin commands may inspect local service state or modify local user files, depending on permissions.
The Radicale administration script runs local system commands to inspect services and manage htpasswd users. This is purpose-aligned for server administration, but it is broader than simple calendar API access.
subprocess.run(["systemctl", "status", "radicale"], ...); subprocess.run(["pgrep", "-f", "radicale"], ...); subprocess.run(cmd)
Run these commands only on machines where you intend to administer Radicale, and verify paths before adding or removing users.
The behavior of the skill depends partly on the installed caldav package version and its dependencies.
The skill depends on an external Python package installed without a pinned version. This is normal for this integration, but users should treat it as a supply-chain dependency.
Install the caldav library: ```bash pip install caldav ```
Install dependencies from trusted package indexes, consider pinning versions in your environment, and keep the package updated.