ClawHub
Back to skill
v1.0.1

synology-calendar

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:20 AM.

Analysis

This appears to be a straightforward Synology Calendar API helper, but it requires NAS login credentials and can modify or delete calendar data.

GuidanceInstall this only if you want the agent to manage your Synology Calendar. Configure the NAS URL yourself, prefer HTTPS, use the least-privileged account that works, and require confirmation before deletions or other significant changes.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
`create_event(...)` | Create event ... `delete_event(evt_id)` | Delete event ... `delete_calendar(cal_id)` | Delete calendar

The documented API includes account-mutating and destructive calendar operations. These fit the skill's management purpose, but they can change or remove user data.

User impactIf invoked incorrectly, the agent could create unwanted items or delete calendar data from the configured Synology account.
RecommendationAsk the agent to confirm before deletions or bulk changes, and review event/calendar IDs before allowing destructive operations.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
export SYNOLOGY_URL="http://{nas_ip}:5000" ... export SYNOLOGY_USER="{username}" ... export SYNOLOGY_PASSWORD="your-password"

The skill requires Synology endpoint and account credentials so it can log in to the Calendar API. This is expected for the stated purpose, but it gives the agent access to that Synology account.

User impactAn agent using this skill can access calendar data available to the configured Synology user.
RecommendationUse a least-privileged Synology account where possible, prefer HTTPS or a trusted local network, and keep the environment variables private.