Caldav Cli
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a coherent calendar-management CLI skill, but installing it means trusting an external npm tool with calendar account credentials and permission to read or create calendar events.
Before installing, make sure you trust the caldav-cli npm package and only add calendar accounts you want the agent-accessible CLI to manage. Treat event creation commands as account-changing actions and review details such as account, calendar, title, time, and location before running them.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong details, the tool could add unwanted events to a connected calendar account.
The skill documents non-interactive commands that can create calendar events. This is expected for a calendar-management CLI, but it is still a real account mutation capability.
caldav-cli events create --title "Team standup" --start "2026-02-10T10:00" --end "2026-02-10T10:30"
Use explicit account and calendar flags when creating events, and review event details before allowing the agent to run creation commands.
The installed CLI will be trusted with credentials or refresh tokens that can access the user's calendar account.
The skill requires calendar credentials or OAuth tokens for iCloud, Google, Yandex, or custom CalDAV accounts. This is expected for the stated purpose and is disclosed as keychain-backed storage.
Passwords, OAuth2 refresh tokens, and OAuth2 client credentials ... OS keychain ... via `@napi-rs/keyring`.
Only connect accounts you want this CLI to manage, prefer app-specific passwords or properly scoped OAuth credentials where available, and remove accounts from the CLI when no longer needed.
The actual executable handling calendar data and credentials comes from the npm package rather than from reviewed code in this artifact.
The skill depends on installing and running a global npm package that is not included in the provided artifact set. This is normal for an instruction-only CLI skill, but users must trust the package source.
npm install -g caldav-cli
Verify the npm package and linked source repository before installation, and install from a trusted package version.