Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Calendly Integration
v1.0.0Calendly scheduling integration. List events, check availability, manage meetings via Calendly API.
⭐ 0· 2.2k·5 current·5 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to integrate with the Calendly API (listing events, cancelling, scheduling). That requires a Calendly Personal Access Token, but the registry metadata declares no required environment variables or primary credential. Also the SKILL.md and README assume a 'calendly' CLI binary exists (or can be generated), yet the package contains only README.md and SKILL.md — no CLI. These are coherence/packaging issues: the skill as published doesn't include the executable it documents and the manifest doesn't declare the real secret it needs.
Instruction Scope
Runtime instructions are explicit about which CLI commands to run and which Calendly endpoints to use. They instruct storing CALENDLY_API_KEY in environment or in ~/.moltbot/.env or ~/.clawdbot/.env and using time filters for list-events. The instructions do not request unrelated system files, but they do encourage reading/writing bot-specific dotfiles and optionally running npx mcporter to generate a CLI — which grants the agent permission to run code fetched from npm if followed.
Install Mechanism
There is no install spec in the registry (instruction-only), which is low risk. However the README/SKILL.md document using npx mcporter@latest to generate a CLI (and reference calendly-mcp-server npm). Running those commands would download and execute code from npm — a moderate-risk operation if you don't trust the upstream packages. The published skill itself does not include the CLI binary, so following the docs would require fetching external code.
Credentials
The skill requires a Calendly Personal Access Token (CALENDLY_API_KEY) to function, but the registry metadata failed to declare this. The instructions suggest placing the token in environment variables or in bot dotfiles under the user home, which are sensitive locations. No other credentials are requested, which is proportionate to the stated purpose — the concern is the missing declaration and the guidance to store secrets in shared dotfiles without explaining scoping or least-privilege.
Persistence & Privilege
The skill is not forced-always, does not request system-level installs in the registry, and does not declare modifications to other skills or global configuration. Autonomy (model-invocation) is allowed by default, which is normal. There is no indication that the skill requests persistent elevated presence.
What to consider before installing
This skill appears to be a straightforward Calendly CLI wrapper, but the published package is inconsistent and incomplete. Before installing or providing secrets: 1) Confirm provenance — this repo/author (meAmitPatil / kesslerio) and the calendly-mcp-server/npm packages are what you expect. 2) Do not paste your CALENDLY_API_KEY into shared or system-wide dotfiles unless you accept that other local processes or skills may read them; prefer a skill-specific config or runtime secret store. 3) If you must run the documented npx/mcporter commands to generate the CLI, review the code they will fetch (npm package source) — npx executes remote code. 4) Prefer an OAuth flow or least-privilege PAT and rotate the token after initial testing. 5) Because the registry metadata omits the required CALENDLY_API_KEY and the binary is not bundled, treat this package as incomplete/packaging-error rather than production-ready until fixed. If you want a definitive 'benign' judgment, ask the publisher to (a) publish the CLI binary or include a verified install spec, and (b) update the registry to declare CALENDLY_API_KEY as a required credential.Like a lobster shell, security has layers — review code before you run it.
latestvk9711jp071w2wg3ynph35h5nnd8085r7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.