Calendly Quick Book
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: calendly-quick-book Version: 1.0.0 The OpenClaw skill 'calendly-quick-book' is benign. It clearly outlines its purpose to book Calendly meetings and provides a legitimate API workflow using `curl` examples directed at `api.calendly.com`. The skill requires a `CALENDLY_API_TOKEN` environment variable, which is used appropriately for authentication with the Calendly API. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts against the agent in `SKILL.md` that would lead to unauthorized actions or access to sensitive data beyond its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked on a booking request, the agent may create a real Calendly booking and send a calendar invite.
The skill is meant to book meetings, and it discloses the Calendly API call that creates an invitee; users should notice that the action is a real account mutation, not just a suggestion.
Triggers on "book", "schedule calendly", "calendly book", or any request to book a meeting without sending a link... curl -s -X POST "https://api.calendly.com/invitees"
Confirm the invitee, email, timezone, event type, and time before allowing the final booking API call, especially for ambiguous requests.
The agent can use the configured Calendly token to access Calendly APIs and book meetings on your behalf.
The skill requires a Calendly API token stored in OpenClaw configuration so the agent can act through the user's Calendly account; this is expected for the stated integration.
openclaw config set env.CALENDLY_API_TOKEN "your-token-here"
Use a token you can revoke, keep it private, and remove or rotate it if you stop using the skill.