ClawHub
Back to skill
v1.0.2

CardDAV Contacts

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:33 AM.

Analysis

This skill is coherent and purpose-aligned for managing CardDAV contacts, but it can sync, store, edit, move, and delete contacts using a local CardDAV credential.

GuidanceBefore installing, make sure you are comfortable giving vdirsyncer/khard access to your contacts and CardDAV credential. Confirm destructive actions like delete or move, and review your sync conflict settings so contact changes behave the way you expect.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
Always sync before querying to ensure you have the latest contacts:
```bash
vdirsyncer sync
```

The skill instructs sync as the default first step before lookups. This is purpose-aligned, but sync can change local contact state and may interact with remote CardDAV data depending on user configuration.

User impactA simple contact lookup may first update local contact files from the remote address book, and pending local/remote changes could be reconciled by vdirsyncer.
RecommendationReview your vdirsyncer configuration and conflict-resolution behavior before relying on automatic sync-before-query workflows.
Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
khard new ...
khard edit "john" ...
khard remove "john"              # Delete contact
khard move "john" -a work        # Move to another address book

The skill documents contact mutation commands, including deletion and movement between address books. These commands are directly related to managing contacts, but they can alter or remove user data.

User impactIf invoked for management tasks, the agent can help create, edit, move, or delete contacts.
RecommendationAsk the agent to confirm the exact contact and action before edit, move, or delete operations, especially when names may match multiple contacts.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
username = "your@email.com"
password.fetch = ["command", "cat", "~/.config/vdirsyncer/google_app_password"]

The example configuration uses a local app-password file to authenticate to a CardDAV provider. Credential use is expected for CardDAV sync, but it is sensitive account access.

User impactThe configured vdirsyncer account can access and synchronize the user’s contacts for that provider.
RecommendationUse an app-specific password or least-privilege credential where available, store it with restrictive file permissions, and verify the URL points to the intended CardDAV provider.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
vdirsyncer syncs CardDAV contacts to local `.vcf` files ... path = "~/.local/share/vdirsyncer/contacts/"

The skill stores synced contacts persistently on the local filesystem. This is the normal vdirsyncer model, but contact data is personal and may be reused by future commands.

User impactYour contacts may be stored locally as files and read by khard when the agent searches or displays contact details.
RecommendationKeep the contact storage path private, avoid sharing it with unrelated tools, and consider backups or provider-side recovery options before enabling sync.