Calendar Sync
PassAudited by ClawScan on May 1, 2026.
Overview
The skill’s calendar-sync purpose matches its instructions, but it expects OAuth setup, can modify calendar events, and references a helper script that is not included.
This looks like a coherent calendar-sync skill rather than malicious behavior. Before installing or using it, verify the missing calendar.py implementation, protect any OAuth secrets, use limited calendar scopes, and manually confirm any event creation or deletion requests.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with the wrong event ID or provider account, the skill could create, change, or delete calendar entries.
The skill documents calendar mutation operations, including deletion. This is aligned with the stated CRUD calendar-sync purpose, but it can change or remove user calendar data.
User wants to add/edit/delete calendar events ... python3 scripts/calendar.py delete --event-id "xxx"
Confirm the target calendar account, event ID, and requested action before running add/edit/delete operations.
Calendar access depends on credentials or OAuth configuration that should be protected and scoped appropriately.
The skill asks for Google and Outlook OAuth client secrets. That is expected for a calendar integration, but it is credential-bearing setup and the registry metadata does not declare required env vars or a primary credential.
export GOOGLE_CLIENT_SECRET="xxx" ... export OUTLOOK_CLIENT_SECRET="xxx"
Use least-privilege OAuth apps/scopes, avoid sharing secrets, and review any actual implementation before authorizing calendar access.
The reviewed artifacts do not show the implementation that would handle calendar credentials and event changes.
The instructions rely on a helper script path, but the supplied artifact set contains only SKILL.md and no install spec or code file for scripts/calendar.py.
python3 scripts/calendar.py list --days 7
Do not run an unverified local scripts/calendar.py; install or inspect the intended implementation before use.
Calendar details may persist locally and could expose schedule information if stored insecurely.
The skill indicates calendar event data may be stored locally. This is purpose-aligned, but the artifacts do not describe storage location, retention, or protection.
Synchronize calendar events across Google Calendar, Outlook, and local storage.
Verify where calendar data is stored, protect that location, and remove local sync data when no longer needed.