gcal-oauth-bridge
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent for Google Calendar access, but it involves OAuth credentials, a persistent local calendar service, and user-installed external Node.js code that users should review and protect.
Before installing, review the linked GitHub service, protect the Google OAuth client secret and tokens.json file, consider enabling the optional API key, and only enable the persistent systemd service if you are comfortable with ongoing local Calendar access.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the bridge gives the local service continuing access to your Google Calendar data until tokens are revoked or removed.
The skill requires Google OAuth setup and persistent token storage to access Google Calendar. This is expected for the stated purpose, but it is sensitive account authority.
requires": { "env": ["GOOGLE_CLIENT_ID", "GOOGLE_CLIENT_SECRET"] } ... Tokens stored locally in tokens.json on your serverUse a dedicated OAuth client, protect the .env and tokens.json files, revoke access if no longer needed, and confirm the OAuth scopes match calendar read needs.
Other local tools or agents that can reach the bridge may be able to read calendar information if the service is running without an API key requirement.
The bridge exposes a local REST endpoint that can return events from all calendars, and the documentation says same-host calls may not require an API key. This is purpose-aligned, but broad local access should be understood.
GET /events?days=7&calendar=all ... no API key needed when running on same host
Enable CALENDAR_BRIDGE_API_KEY where practical, keep the service bound to localhost, and avoid exposing port 3000 beyond trusted local access.
The actual Node.js service and its dependencies will come from the external repository at install time.
The submitted skill is instruction-only and directs users to install and run code from an external GitHub repository. This is normal for this setup, but the runnable service code is not included in the reviewed artifact.
git clone https://github.com/DanielKillenberger/gcal-oauth-bridge.git ... npm install
Review the repository, dependency files, and permissions before running npm install or node app.js, and prefer pinned versions or a trusted commit.
Calendar access can continue in the background after initial setup, which is convenient but should be intentionally enabled.
The service is designed to keep running and maintain OAuth access through token refresh. This persistence is disclosed and central to the skill’s purpose.
Stores and auto-refreshes tokens ... systemctl --user enable calendar-bridge.service
Only enable the systemd service if you want continuous availability, and know how to stop the service and delete or revoke stored tokens.