Gcalcli Calendar 3.0.0
ReviewAudited by ClawScan on May 10, 2026.
Overview
This instruction-only calendar skill is aligned with managing Google Calendar via gcalcli, but it will use your existing Google Calendar access and can create or delete events quickly, including unambiguous deletes without a second confirmation.
Install this only if you trust gcalcli and are comfortable letting the agent use your Google Calendar account to read, create, import, and delete events. If you want stronger safety, change the policy to require confirmation before every delete or edit.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent identifies the wrong single event, it could delete or edit a calendar entry immediately after your request.
The skill can delete calendar events without a second confirmation when the user explicitly requested the action and exactly one tight-window match is found. This is disclosed and purpose-aligned, but it is still a high-impact tool action.
Unambiguous actions: execute immediately ... skip confirmation when ALL of these hold ... Use non-interactive delete with `--iamaexpert`
Use only if you are comfortable treating your explicit delete/edit request as confirmation; otherwise edit the skill policy to always ask before destructive changes.
Calendar reads, creates, imports, and deletes will run with whatever Google Calendar permissions gcalcli has been granted.
The skill operates through the user's existing gcalcli OAuth access to Google Calendar. This is expected for the integration, and the artifacts do not show credential logging or unrelated transmission.
It authenticates via OAuth2 and stores credentials locally. This skill does not handle authentication — gcalcli must be set up and authenticated before use.
Review the Google account and calendars configured in gcalcli, and revoke or limit OAuth access if you no longer want the agent to use it.
It may be harder to verify the skill's origin or compare it against an upstream project.
The registry metadata does not provide a source repository or homepage for the skill. No install script or code payload is present, so this is a provenance note rather than evidence of malicious behavior.
Source: unknown; Homepage: none
Verify the publisher and inspect the included instructions before installing; separately install gcalcli from a trusted source.