Tmp.StUjLuCvPL
WarnAudited by ClawScan on May 14, 2026.
Overview
The skill is purpose-aligned for Google Calendar/Meet, but it asks users to run an unreviewed, unpinned MCP package with authenticated Google account access and high-impact calendar/meeting controls.
Install only if you trust the external npm package and have reviewed its Google permissions. Use a least-privilege Google account where possible, and require explicit confirmation before deleting events, responding to invitations, or ending Meet conferences.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The code that handles the user's Google Calendar and Meet access would be downloaded and run from outside the reviewed skill artifacts.
The skill instructs users to run an npm package by name through npx without pinning a version, while the provided artifact set contains no package code to review.
"command": "npx", "args": ["-y", "gogcli-mcp-calendar"]
Install only if you trust the npm package and publisher; prefer a pinned version and review the package source before giving it account access.
The MCP server may use the user's existing Google account session to read or change calendar and meeting data.
The skill relies on an already-authenticated Google CLI account, but the registry metadata declares no primary credential, required environment variables, or config paths.
- [gogcli](https://github.com/steipete/gogcli) installed and authenticated
Use a dedicated Google account or least-privilege OAuth setup if possible, and confirm exactly which Google scopes `gogcli` and this MCP package can use.
An agent using this skill could alter or delete calendar data, respond to invitations, or end meetings if invoked incorrectly.
The advertised tools include destructive and privacy-sensitive actions, but the skill does not document confirmation requirements, calendar/account scoping, or safeguards for high-impact operations.
creating/updating/deleting events, responding to invitations, creating Meet spaces, ending conferences, listing meeting participants or call history
Require explicit user confirmation for deletes, updates, invitation responses, and ending conferences; verify the target calendar, event, or Meet space before action.
Meeting attendance and call history may be surfaced to the agent when using the skill.
The MCP server exposes meeting history and participant data to the agent workflow; this is relevant to the skill's purpose but privacy-sensitive.
`gog_meet_history` | List past calls in a space | ... `gog_meet_participants` | List call participants |
Use the skill only in trusted chats and avoid asking it to access meeting history unless necessary.