Calendar Local
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s calendar purpose is clear, but it relies on an undeclared local script and local Google keyring credentials to read calendar data.
Review this skill before installing. It appears designed for legitimate local Google Calendar summaries, but it depends on a local script and persistent Google keyring credentials that are not included or declared in the metadata. Only install it on a host where you trust the referenced calendar.sh wrapper and want the agent to read that configured Google Calendar account.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed, the agent may be able to read the configured Google Calendar account whenever it decides a user is asking for agenda information.
The skill uses a local Google account credential/keyring password to access calendar data, while the supplied registry metadata declares no required env vars or primary credential.
The wrapper already targets the correct Google account and gog binary. It requires `GOG_KEYRING_PASSWORD` in the runtime environment.
Declare the credential and environment requirements, document which Google account is accessed, and ensure calendar lookups are limited to authorized users and explicit requests.
The agent would delegate calendar access to unreviewed local code that can run with the OpenClaw service environment and access local Google credentials.
The skill instructs the agent to execute a local wrapper script, but the supplied artifact set contains only SKILL.md, so the script’s contents, dependencies, and provenance are not reviewable.
/home/ubuntu/.openclaw/workspace/.openclaw/calendar.sh today
Bundle or reference the wrapper through a verifiable install spec, pin its provenance, and declare the required local path/dependency so users can review what will run.