Skillv1.0.12

ClawScan security

Recipe Reschedule Meeting · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 31, 2026, 6:37 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, required binary, and declared dependency line up with its stated purpose (rescheduling a Google Calendar event and notifying attendees); there are no unexplained credentials, installs, or file accesses in the recipe itself.
Guidance: This recipe appears internally consistent, but before running it: - Confirm the 'gws' binary and the 'gws-calendar' skill are from sources you trust (they will use your Google account tokens). - Replace EVENT_ID and the example date/time with the correct event identifier and desired new times — the provided JSON is a hard-coded example. - Understand that the patch command uses sendUpdates: "all", so attendees will be notified automatically; avoid running on real events until you've tested with a dummy event. - If you don't want automatic notifications, adjust or remove sendUpdates accordingly. - If you install or run the external 'gws' tool, verify where it stores tokens and ensure they are protected; revoke credentials if you later remove the tool or suspect misuse.

Review Dimensions

Purpose & Capability: okThe skill says it will move a Google Calendar event and notify attendees and the SKILL.md shows gws calendar commands that perform exactly that. The required binary (gws) and dependency on the gws-calendar skill are coherent with the described functionality.
Instruction Scope: okThe runtime steps only call the gws calendar CLI to find, fetch, and patch an event; they do not reference unrelated files, environment variables, or external endpoints. Note: the example patch contains hard-coded date/time values and an EVENT_ID placeholder — the user must supply the correct eventId and desired times before running.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk by the skill bundle itself. Risk depends on the external 'gws' binary and the gws-calendar skill, which are outside this recipe.
Credentials: noteThe recipe declares no required env vars or credentials, which is reasonable for an instruction-only recipe. However, the gws binary (and the gws-calendar skill) will likely use the user's Google OAuth credentials or local tokens at runtime — those credentials are not declared here but that is expected for a CLI wrapper. Verify the origin and permissions of the gws binary/skill before use.
Persistence & Privilege: okThe skill does not request always:true and is user-invocable only. It does not attempt to modify other skills or system-wide settings in the provided instructions.