Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Calendar Manager
v1.1.0日历管理技能 - 让 AI 能够读取日程、创建事件、设置提醒。当用户要求查看日程、添加日历事件、提醒 upcoming events 时触发此技能。
⭐ 0· 1.8k·27 current·27 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name and description match the instructions: the SKILL.md explains how to read, create, modify, and remind about calendar events using local calendar CLIs and system schedulers. The supported services (Google, Apple, Outlook, Fantastical) align with calendar management.
Instruction Scope
Instructions focus on invoking local calendar CLIs (gcalcli, icalBuddy, 'gog' is referenced) and on summarizing events and setting reminders. They do not instruct the agent to read unrelated system files or exfiltrate data. Notes of caution: (1) the document references OAuth usage and client-secret parameters for gcalcli but the skill declares no required credentials — the user must perform OAuth/config locally; (2) there is an apparent inconsistency/typo: the SKILL.md uses both 'gog' and 'gcal/gcalcli' which could confuse which CLI to run; (3) the guide includes cron/Windows Task scheduling examples, which would create persistence if followed.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes risk because nothing is downloaded or written by the skill itself.
Credentials
The skill declares no required environment variables or credentials, which is coherent for an instruction-only skill. However, the references mention OAuth flows and client-id/client-secret usage for gcalcli; if you follow those steps you will grant calendar/account access. The SKILL.md also suggests integration with an email-reading skill (email-reader), which could require email access — that is external to this skill and should be audited separately.
Persistence & Privilege
always:false and default autonomous invocation are appropriate. The skill itself does not request permanent agent presence or modify other skills. However, its instructions include using cron/Windows Task Scheduler to deliver reminders; if the user or agent follows those instructions, that creates persistence on the host outside the skill bundle.
Assessment
This skill is an instruction-only calendar helper and is broadly coherent with its description, but check these before installing or using it:
- The skill has no homepage and an unknown source; only proceed if you trust the publisher.
- Confirm which CLI the skill expects: the README references gcalcli and icalBuddy but also uses 'gog' (likely a typo). Running the wrong binary could do nothing or run an unexpected program.
- The docs mention OAuth and client-id/client-secret usage for Google Calendar. Granting OAuth consent or storing client secrets gives calendar access — review scopes and perform OAuth interactively rather than pasting secrets into unknown apps.
- The guide shows how to create cron jobs / scheduled tasks for reminders. If you or an automated agent implement those, they will persist on your system; review any scripts before scheduling them.
- The skill suggests integration with an email-reader skill; that could access your mailbox. Audit that other skill's requirements before enabling cooperation.
If you need this functionality, prefer to install and configure the official CLIs (gcalcli, icalBuddy, Fantastical/Outlook clients) yourself and verify commands locally. If anything in the docs looks unclear (the 'gog' reference), ask the publisher for clarification before granting access or automating tasks.Like a lobster shell, security has layers — review code before you run it.
latestvk978q7rp9crgzzerj9p64zkc9581s1zy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.