Apple Calendar CLI Plus
PassAudited by VirusTotal on May 5, 2026.
Overview
Type: OpenClaw Skill Name: accli-plus Version: 1.2.4 The accli-plus skill is a legitimate CLI wrapper for managing Apple Calendar on macOS via EventKit. The documentation (SKILL.md and README.md) describes standard calendar operations such as creating, updating, deleting, and exporting events, with specific instructions for AI agents to use JSON output and stable IDs. No evidence of malicious intent, data exfiltration to external endpoints, or prompt injection was found; the tool's capabilities are consistent with its stated purpose of calendar management.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could accidentally change or delete important calendar events if used without review.
The CLI can update or delete calendar events, including whole recurring series. This is expected for a calendar-management tool, but it is a high-impact action if the agent targets the wrong event.
`--span all` — all occurrences (deletes/updates the entire series)
Use `--dry-run`, stable calendar IDs, and explicit user confirmation before any update, delete, or recurring-series operation.
The installed CLI may be able to read and modify private calendar data available to Apple Calendar.
The skill requires macOS Calendar Full Access, which can expose and modify calendar data. This is disclosed and aligned with the stated calendar-management purpose.
`accli setup` to grant Calendar permissions (Full Access required in System Settings > Privacy & Security > Calendars).
Grant Calendar access only if you trust the installed CLI, and revoke it in macOS Privacy settings when no longer needed.
The scanned skill text looks coherent, but the actual CLI behavior depends on an external package that was not reviewed here.
The skill depends on an external globally installed npm package, but the package code is not included in the provided artifacts and the registry has no install spec.
requires: binaries: [accli] install: "npm install -g @gopaljigaur/accli"
Verify the npm package source and publisher before installing, and prefer pinned or reviewed versions where possible.
Private calendar information could be included in agent context, logs, or downstream outputs if broad exports are requested.
The export and search commands can place broad calendar details into agent-readable JSON output. This is purpose-aligned but may include sensitive event titles, locations, descriptions, and schedules.
`accli export --from <date> --to <date> [--calendar-id <id>] [--json]` ... Exports all events grouped by calendar.
Limit exports/searches by date range and calendar ID, and avoid sending unnecessary calendar data into agent workflows.