ClawHub

Apple Calendar CLI

v1.0.0

This skill should be used when interacting with Apple Calendar on macOS. Use it for listing calendars, viewing events, creating/updating/deleting calendar events, and checking availability/free-busy times. Triggers on requests like "check my calendar", "schedule a meeting", "what's on my schedule", "am I free tomorrow", or any calendar-related operations.

11· 5.1k·49 current·49 all-time
by@joargp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a macOS Apple Calendar CLI (accli) and instructs using the accli binary and npm to install @joargp/accli, but the skill metadata declares no required binaries and provides no install spec or source/homepage. That mismatch (instruction-only skill that depends on an external npm package) is incoherent: the agent/installer would need accli/npm to perform the described actions, yet the registry metadata doesn't declare those dependencies or provide a trusted source.
Instruction Scope
The runtime instructions are narrowly scoped to calendar operations (list, query, create, update, delete, free/busy) and do not direct the agent to read unrelated files or exfiltrate data. They do, however, instruct the user/agent to run shell commands (accli, date) and to install a package from npm, which could execute arbitrary code during installation (postinstall scripts). The SKILL.md advises confirming destructive actions with the user, which is good.
!
Install Mechanism
There is no install spec in the skill metadata, but SKILL.md tells the user to run `npm install -g @joargp/accli`. That is an implicit install mechanism that would fetch and run code from the public npm registry; the package and owner are not verified here. A global npm install may run install scripts and place binaries on the system — a moderate-risk action when the package source is unknown. The lack of an explicit, vetted install spec in the registry is a warning sign.
Credentials
The skill does not request any environment variables, credentials, or config paths. Access to macOS Calendar is local and requires user-granted system permissions (not declared as env vars), which is proportionate to the stated purpose.
Persistence & Privilege
The skill does not request always=true and provides no install-time persistence or cross-skill configuration changes. It appears to rely on a user-installed CLI binary, not on being force-enabled by the platform.
What to consider before installing
This SKILL.md describes a reasonable Apple Calendar CLI, but there are a few red flags you should consider before installing or using it: - Metadata vs. instructions mismatch: the skill metadata does not declare required binaries or an install method, yet the documentation instructs you to run `accli` and to install `@joargp/accli` via npm. Ask the publisher for an explicit install spec or a verified homepage/source. - Unknown npm package: `npm install -g @joargp/accli` will fetch and run code from the public npm registry. Verify the package and its owner (inspect the package on npm, the repository, and recent versions) before globally installing. Look for signs of trust: GitHub repo, maintainer history, README, and no malicious postinstall scripts. - Global npm installs can run install scripts and modify system state. Prefer inspecting the package (or installing locally in a sandbox) before granting broad system-level installation. - Calendar access is local and requires macOS permissions; the skill does not ask for cloud credentials, which is appropriate. Still, be aware that the installed CLI will be able to read and modify your local calendar data if granted permission. If you want to proceed safely: request the package source or a signed binary, inspect the npm package contents (and postinstall scripts) before running, prefer a local/sandboxed install, and test in a non-production account. If the publisher cannot provide a trustworthy repository or explanation for the missing install metadata, treat the package with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk974nz8j4jdq45rz4hrez2ep8d7ym1mc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments