ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Calendar Setup

v1.1.1

Step-by-step wizard for connecting an owner's Google Calendar to their OpenClaw PA agent, including granting write permissions. Use when: setting up calendar...

1· 67·1 current·1 all-time
byNetanel Abergel@netanel-abergel
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to help connect an owner's Google Calendar, but repeatedly instructs adding OAuth scopes beyond calendar (gmail, drive, contacts). Those extra scopes are not justified in the doc and expand access to unrelated services.
!
Instruction Scope
Most steps are appropriate CLI instructions using the 'gog' tool, but the 'Heleni-specific' workaround explicitly tells operators to read /opt/ocana/openclaw/.gog/credentials.json and extract client_id/client_secret/refresh_token to refresh tokens via curl. That directs reading a sensitive system path and using secrets that were not declared or justified.
Install Mechanism
No install script or external downloads — instruction-only skill with no code, which minimizes install-time risk.
!
Credentials
The skill declares no required env vars or config paths, yet instructs use of GOG_ACCOUNT and to access a specific system credentials file. It also instructs requesting broad credentials (gmail, drive, contacts) in addition to calendar; this is disproportionate for calendar-only functionality.
Persistence & Privilege
The skill is not forced-always and does not request system-wide persistence. Autonomous invocation is allowed (platform default) but is not combined here with other high privileges.
What to consider before installing
This skill largely looks like a normal step-by-step calendar connector, but there are two things to worry about before installing or using it: (1) it tells you to request gmail/drive/contacts scopes in addition to calendar — ask the author why those extra scopes are needed and avoid granting them unless necessary; (2) the 'Heleni-specific' workaround instructs reading /opt/ocana/openclaw/.gog/credentials.json and using client_id/client_secret/refresh_token to mint tokens. That file contains secrets; the skill did not declare access to it. Only allow that if you trust the skill source, understand exactly which account's tokens are being used, and have explicit admin consent. If you can't verify the origin or purpose, prefer the standard OAuth browser flow (gog auth add) and do not expose credentials.json. Ask the publisher to (a) justify and minimize requested scopes (calendar-only if possible), (b) declare any config paths or admin-only instructions, and (c) remove instructions that require reading sensitive credential files or explain why an administrator must run those steps. If this will run on a shared/server environment, consult your security/IT team before following the credentials-file steps.

Like a lobster shell, security has layers — review code before you run it.

latestvk978pk7tvhcz3w3w2s4tdcms5n846prw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments