ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Calcom Cli

v0.1.0

Manage Cal.com calendars via CLI - schedules, bookings, event types, slots, user profile. Use when user mentions 'Cal.com', 'scheduling', 'bookings', or need...

0· 169·0 current·0 all-time
byMelvyn@melvynx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, resource list (schedules, bookings, event-types, slots, profile) and the documented CLI commands align. The skill does not request unrelated permissions, environment variables, or config paths beyond storing an API token locally.
Instruction Scope
SKILL.md provides concrete CLI usage and explicitly instructs to use --json and to authenticate with a Cal.com token stored at ~/.config/tokens/calcom-cli.txt. It does not instruct reading unrelated files or exfiltrating data. Note: the document also contains installation/build commands (npx api2cli, bun install) that would run network downloads if executed.
Install Mechanism
There is no formal install spec in the skill bundle (instruction-only). However, the README suggests installing via 'npx api2cli install Melvynx/calcom-cli' and, if needed, bootstrapping bun via 'curl -fsSL https://bun.sh/install | bash'. Those are legitimate ways to obtain a CLI but involve running remote installers and downloading code from GitHub — moderate risk if you don't review the upstream repository first.
Credentials
The skill declares no required environment variables and the documented auth model uses a single API token (set with 'calcom-cli auth set') stored in a local config file. That credential model is proportional and expected for a calendar API integration.
Persistence & Privilege
The skill is not always-on and does not request elevated or cross-skill configuration changes. Model invocation is allowed (default), which is appropriate for a user-invocable CLI skill; there is no evidence it modifies other skills or system-wide settings.
Assessment
This skill is coherent for interacting with Cal.com via a CLI. Before installing or running anything: 1) review the upstream GitHub repository (Melvynx/calcom-cli) to confirm code provenance; 2) avoid running curl | bash installers unless you trust the source — prefer package manager installs or inspect the script first; 3) use a least-privilege API token for Cal.com and be aware it will be stored at ~/.config/tokens/calcom-cli.txt (remove or rotate if you stop using the tool); 4) because the skill can be invoked autonomously by the agent, consider only enabling it when you trust the agent’s actions or provide a scoped token to limit potential impact.

Like a lobster shell, security has layers — review code before you run it.

latestvk974hdxhq10m3atsfb00d27n9n82wqjc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments