v1.0.1

Feishu calendar sync, local ics to json data for AI agent

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:51 AM.

Analysis

This skill appears to be a straightforward local calendar-file converter, but users should be aware it reads calendar contents and writes JSON files locally.

GuidanceThis skill looks safe for its stated local ICS-to-JSON conversion purpose. Before installing or using it, install dependencies only from trusted sources, use a narrow calendar input folder, and review the generated JSON because it may contain private meeting details.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

install vdirsyncer and setup calendar sync

The skill asks the user to install and configure an external calendar-sync tool, but no install specification, version pinning, or configuration guidance is provided in the artifacts.

User impactUsers may need to install and configure external calendar tooling themselves, which could involve account setup or sync behavior not reviewed here.

RecommendationInstall dependencies from trusted sources, review vdirsyncer configuration carefully, and limit any calendar sync to the calendars and accounts you intend to use.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

scripts/ics2json.py

from icalendar import Calendar

The script depends on the third-party Python icalendar package, but the provided artifacts do not include an install spec, requirements file, or pinned dependency version.

User impactUsers may install an unpinned package version, which can create reproducibility or supply-chain uncertainty.

RecommendationUse a trusted Python environment and pin the icalendar package version before running the script.

Tool Misuse and Exploitation

SeverityInfoConfidenceHighStatusNote

scripts/ics2json.py

for root, _, files in os.walk(input_dir): ... if file.lower().endswith(".ics")

The script recursively processes every .ics file under the user-provided input directory.

User impactIf pointed at a broad directory, the tool may process more calendar files than the user intended.

RecommendationProvide a narrow input directory containing only the ICS files you want converted.

Tool Misuse and Exploitation

SeverityInfoConfidenceHighStatusNote

scripts/ics2json.py

out_path = os.path.splitext(path)[0] + ".json"

When --split is used, the script writes JSON files next to each source ICS file rather than only to a single chosen output path.

User impactUsing split mode can create JSON files throughout the selected calendar directory tree.

RecommendationUse --split only in folders where adjacent JSON output is acceptable, or use the single-output mode with -o for more control.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

scripts/ics2json.py

"summary": str(component.get("SUMMARY")), "organizer": str(component.get("ORGANIZER")), "start": component.get("DTSTART").dt.isoformat()

The converter extracts calendar event details such as titles, organizers, times, and alarms into JSON, which may later be imported into or used by an AI agent.

User impactCalendar files can contain private meeting titles, attendees, organizers, and schedules; the generated JSON may make that information easier to reuse or share.

RecommendationRun the converter only on intended calendar folders, review the JSON before importing it elsewhere, and avoid processing calendars with sensitive events unless needed.