Back to skill
Skillv1.0.0
ClawScan security
Cal.com · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 18, 2026, 4:56 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's documentation matches Cal.com API behavior, but it fails to declare the credentials and environment variables it actually expects (API keys, OAuth client secrets, webhook secret examples), which is an incoherence you should understand before installing.
- Guidance
- This skill appears to be correct documentation for the Cal.com API, but it omits declaring the credentials it expects. Before installing: 1) verify the skill's provenance (source is unknown) and that you trust it to handle your Cal.com credentials; 2) expect to provide a Cal.com API key (Bearer cal_...), and possibly OAuth client id/secret and a webhook secret — the registry should have declared these; 3) do not paste production API keys into chat or expose them in client-side code; store them in a secure environment variable and limit scopes/permissions where possible; 4) if you plan to use webhooks, ensure your webhook secret is managed securely and that signature verification is implemented on your endpoint; 5) ask the publisher (or registry owner) to update the skill metadata to list required env vars (e.g., CAL_API_KEY, X_CAL_CLIENT_ID, X_CAL_SECRET_KEY, WEBHOOK_SECRET) so you can make an informed install decision.
Review Dimensions
- Purpose & Capability
- noteThe name/description and the SKILL.md content consistently describe Cal.com API v2 endpoints for bookings, slots, schedules, calendars, webhooks and event types — that purpose matches the provided request examples and reference docs. However, the skill metadata declares no required credentials or primary credential, while the runtime documentation explicitly requires a Bearer API key (cal_... ) and documents OAuth headers (x-cal-client-id, x-cal-secret-key) for platform integrations; those credentials are necessary for the stated purpose but are not declared in the skill requirements.
- Instruction Scope
- noteAll instructions are scoped to calling Cal.com API endpoints and configuring webhooks; they do not instruct reading arbitrary files or system state. Example snippets reference storing/reading API keys and webhook secrets from environment variables (process.env, export CAL_API_KEY) but the skill does not declare these env vars as required — the instructions stay within API domain but assume access to secrets that the registry metadata omits.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files to execute. That minimizes installation risk because nothing is downloaded or written to disk.
- Credentials
- concernThe SKILL.md and reference files plainly expect API keys (Bearer cal_...), and optionally OAuth client id/secret and webhook HMAC secret for signature verification, yet the skill metadata lists no required env vars or primary credential. Requiring (or assuming) multiple secrets without declaring them is disproportionate and a visibility issue: users won't be prompted to provide the necessary credentials or warned about what will be used.
- Persistence & Privilege
- okThe skill does not request persistent inclusion (always:false), does not include installation steps that modify other skills or system settings, and contains no code that would run autonomously outside normal agent invocation.