Calendar
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: calendar Version: 1.0.0 The skill bundle declares `curl` and `jq` as required binaries in `SKILL.md` metadata. While `curl` is a powerful tool capable of network requests, its inclusion is plausible for a 'Calendar management and scheduling' skill that would interact with external calendar providers (e.g., Google Calendar, Apple Calendar, Outlook Calendar APIs). There is no evidence of malicious intent, data exfiltration, unauthorized execution, prompt injection, or any other harmful behavior in the provided files. The content is purely descriptive and declarative of necessary tools for its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If connected to a provider account, the skill may be able to see availability and create or sync calendar events.
These features imply access to third-party calendar accounts and the ability to read or modify calendar data, while the registry metadata declares no primary credential, environment variables, or config paths. This is expected for a calendar integration, but users should notice the authorization implications.
- Create events - Schedule meetings - View availability - Calendar sync ## Supported Providers - Google Calendar - Apple Calendar - Outlook Calendar
Grant only the calendar provider and scopes you intend to use, and review event details before allowing the agent to create or sync events.
The agent may use local command-line tools to contact calendar provider APIs if the user asks it to perform calendar actions.
The skill requires command-line tools commonly used for HTTP API calls and JSON processing. That fits a provider-integration skill, and no unsafe commands are included, but it means users should review any generated shell/API commands.
metadata: {"clawdbot":{"emoji":"📅","requires":{"bins":["curl","jq"]}}}Inspect provider API commands before running them, especially commands that create, update, invite, delete, or sync events.
The publisher identity is not fully consistent across the provided metadata, which may make it harder to verify who maintains the skill.
The bundled _meta.json ownerId differs from the supplied registry owner ID, and the listing has unknown source and no homepage. There are no code files or install scripts, so this is a provenance note rather than evidence of malicious behavior.
"ownerId": "kn76j9swysbar4zmq6nren34eh8007b4"
Verify the publisher in ClawHub before granting calendar account access or relying on the skill for important scheduling tasks.