ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Calendar Local

Read Google Calendar from the local host using the configured gog wrapper. Use when the user asks for their agenda, calendar events, today's schedule, this w...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 23 · 1 current installs · 1 all-time installs
byJULIAN GOMEZ FERNANDEZ@jgf78
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md behavior (running a local gog wrapper at /home/ubuntu/.openclaw/workspace/.openclaw/calendar.sh to read Google Calendar) matches the skill description, but the registry metadata does not declare the required config path or the GOG_KEYRING_PASSWORD env var the instructions explicitly expect. The hard-coded path and password requirement should have been declared.
Instruction Scope
Instructions are narrowly scoped to running the local wrapper with timeframe arguments and summarizing output. They do not request unrelated files or network endpoints. However, they explicitly rely on a local file path and an environment secret and include guidance to interpret keyring/unlock errors — which increases sensitivity of what the agent will access.
Install Mechanism
There is no install spec and no code files — this is instruction-only, so nothing is written to disk by the skill itself. That reduces install-time risk.
!
Credentials
SKILL.md requires GOG_KEYRING_PASSWORD in the runtime environment and access to a specific user path, but the skill's declared requirements list no env vars or config paths. Asking for a password-like env var without declaring it is disproportionate and opaque. The env var is sensitive and should be explicitly declared and justified in metadata.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide changes. It will run only when invoked. No other elevated persistence is requested.
What to consider before installing
This skill will run a local script at /home/ubuntu/.openclaw/workspace/.openclaw/calendar.sh and expects the service to have GOG_KEYRING_PASSWORD set. Before installing, verify the following: (1) confirm the calendar.sh wrapper is present and inspect its contents to ensure it does only what you expect (reading calendar via gog) and does not exfiltrate data; (2) ensure GOG_KEYRING_PASSWORD is stored and provided securely — the skill metadata should explicitly declare this env var and the required config path; (3) if you cannot inspect or verify the wrapper, do not enable the skill — it could expose local tokens/credentials; and (4) ask the publisher to update the skill registry entry to list the required config path and GOG_KEYRING_PASSWORD so the requirement is explicit. If you intend to use this on a shared host or in an environment where the agent can be invoked autonomously, be extra cautious because the wrapper and the keyring password are sensitive.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97dd0f2ngg6w9ge3qd4s22yms83xv6k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Calendar Local

Use the local wrapper instead of generic calendar advice.

Commands

Run the wrapper with an explicit timeframe:

/home/ubuntu/.openclaw/workspace/.openclaw/calendar.sh today
/home/ubuntu/.openclaw/workspace/.openclaw/calendar.sh week
/home/ubuntu/.openclaw/workspace/.openclaw/calendar.sh days 7

The wrapper already targets the correct Google account and gog binary. It requires GOG_KEYRING_PASSWORD in the runtime environment.

Workflow

  1. Run the wrapper with the matching timeframe.
  2. If the user asked for today, use today.
  3. If the user asked for this week, use week.
  4. If the user asked for the next few days, use days N.
  5. Summarize results in natural language.
  6. If no events match, say so plainly.
  7. Do not tell the user to configure OAuth again unless the wrapper fails.

Failure handling

If the wrapper fails:

  • If output mentions GOG_KEYRING_PASSWORD is not set, explain that the OpenClaw service is missing the keyring password in its environment.
  • If output mentions keyring unlock/auth errors, explain that the local Google token/keyring is unavailable or locked.
  • Only then fall back to setup guidance.

Output style

  • Be concise.
  • Prefer grouped agenda summaries.
  • Separate all-day items, timed events, and birthdays/tasks when useful.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…