Google Calendar (via gcalcli)
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Google Calendar helper, but users should notice that it can use a locally authenticated gcalcli account to create and delete calendar events with limited extra prompting.
This skill appears purpose-aligned and not malicious. Before installing, make sure you are comfortable with a personal-assistant workflow that can create or delete events after an explicit user request without a second confirmation when the match is clear. Also confirm that gcalcli is authenticated to the correct Google account.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent misunderstands which event you meant, it could delete or edit an event without asking one more confirmation question.
The skill intentionally allows no-extra-prompt calendar mutations and non-interactive deletion when it judges the user request and target event to be unambiguous. This is disclosed and bounded, but a wrong match could still change or delete a real calendar event.
For cancel/delete/edit actions, skip confirmation when ALL of these hold ... Use non-interactive delete with `--iamaexpert` ... Always verify via agenda
Install only if you want low-friction calendar management. If you prefer confirmation before every destructive action, edit the Actions policy to always ask first.
The agent can act on the Google Calendar account already authenticated in gcalcli.
The skill relies on gcalcli's locally stored Google OAuth credentials to access the user's calendar. This is expected for the integration, but it grants account-level calendar access through the configured gcalcli profile.
It authenticates via OAuth2 and stores credentials locally. This skill does not handle authentication — gcalcli must be set up and authenticated before use.
Verify which Google account and calendars gcalcli is configured to use, and protect or revoke the local OAuth token if needed.
The security of calendar access depends partly on the locally installed gcalcli package.
The skill depends on an external CLI installed outside the skill package. This is central to the stated purpose and not auto-installed by the skill, but users should install it from a trusted source.
`gcalcli` — install via `pip install gcalcli` or `brew install gcalcli`
Install gcalcli from a trusted package source, keep it updated, and review its OAuth permissions.