ClawHub

Calendar reminder

v1.0.1

ICS-backed reminder operations through the reminder worker API. Use when the user asks to create, list, cancel, or rotate reminder-style calendar items such...

0· 287·0 current·0 all-time
by@cute-angel
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the actual behavior: a Node-based client that calls a reminder worker API. Requested binary (node) and env vars (REMINDER_API_TOKEN, REMINDER_API_BASE_URL) are appropriate and necessary for the stated purpose.
Instruction Scope
SKILL.md restricts execution to the bundled scripts/reminder-client.mjs and documents which env vars are used. The script only reads the declared env vars, stdin, and arguments, then issues HTTP calls to the base URL; it does not access unrelated files, secrets, or system paths.
Install Mechanism
There is no install spec (no external downloads). The skill includes a local JS helper that will be executed by node; nothing in the package fetches or installs remote code at runtime. Note: ensure the runtime Node has fetch available (Node 18+ or polyfill) but that's an operational, not security, issue.
Credentials
Only two env vars are required and both are justified: REMINDER_API_BASE_URL (endpoint) and REMINDER_API_TOKEN (bearer token). The primaryEnv is set correctly. No unrelated credentials or high-privilege secrets are requested.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide persistence or modify other skills. Model-autonomous invocation is enabled (default) which is normal for skills; there are no additional privilege escalations.
Assessment
This skill appears to do exactly what it says: run a local Node helper that talks to a reminder worker at REMINDER_API_BASE_URL using REMINDER_API_TOKEN. Before installing: (1) Confirm the REMINDER_API_BASE_URL points to a service you trust (don't set it to an unexpected host). (2) Treat REMINDER_API_TOKEN as a secret — prefer a token scoped only to reminders, not a broad account key. (3) Be aware the skill will make network calls to the configured base URL and will log/print API responses (which may contain calendar data). (4) If you enable autonomous invocation for agents, consider testing with a low-privilege token first and verify the worker's behavior (rotate endpoint will change feed tokens). If you want extra assurance, review the included scripts/reminder-client.mjs and the API contract; there are no hidden endpoints or downloads in the package.
scripts/reminder-client.mjs:19
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📅 Clawdis
Binsnode
EnvREMINDER_API_TOKEN, REMINDER_API_BASE_URL
Primary envREMINDER_API_TOKEN
latestvk977qsn5mts8qn593bcm4sv0nd82yx68
287downloads
0stars
2versions
Updated 1mo ago
v1.0.1
MIT-0
@cute-angel
latest
Download

ICS Reminder

Use this skill when the user intent is to create or manage a reminder-like event that should appear in a subscribed calendar feed.

Reminder operations through scripts/reminder-client.mjs.

Create a reminder

node {baseDir}/scripts/reminder-client.mjs create --stdin

Required create fields:

  • title
  • start_at
  • timezone

Optional create fields:

  • notes
  • location
  • url
  • all_day
  • rrule
  • alarm_offset_minutes
  • source_text
  • idempotency_key

List reminders

node {baseDir}/scripts/reminder-client.mjs list

Delete a reminder

node {baseDir}/scripts/reminder-client.mjs delete "<id>"

Rotate ICS feed token

node {baseDir}/scripts/reminder-client.mjs rotate

Notes

  • Read REMINDER_API_TOKEN from the environment.
  • Read REMINDER_API_BASE_URL from the environment.
  • If REMINDER_API_BASE_URL is missing, stop and ask for configuration instead of guessing a local or remote endpoint.
  • Always use scripts/reminder-client.mjs; do not embed raw HTTP calls in the skill.
  • Ask a concise follow-up only when date, time, timezone, or recurrence is missing or ambiguous.
  • Keep raw user text inside the JSON request body only; do not splice it into shell flags, URLs, or command fragments.
  • Read references/time-parsing-rules.md for ambiguous dates, recurrence, all-day reminders, or past times.
  • Read references/api-contract.md before calling the helper script.
  • Read references/openclaw-config.md when the user needs help wiring the skill into ~/.openclaw/openclaw.json.
  • Confirm normalized schedule details in the final response and never reveal bearer tokens or raw secret values.

Comments

Loading comments...