PortEden - secured calendar(Gmail, Outlook, Exchange) access for OpenClaw
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could alter meetings, delete events, or respond to invitations on the user's behalf.
The skill exposes commands that can change or delete calendar events and send invite responses. This is aligned with the stated calendar-management purpose, and the artifact also says to confirm before creating, updating, or deleting events.
- Create event: `porteden calendar create ...` ... - Update event: `porteden calendar update ...` ... - Delete event: `porteden calendar delete <eventId>` ... - Respond to invite: `porteden calendar respond <eventId> accepted`
Only allow event creation, updates, deletion, or invite responses after reviewing the exact calendar, event ID, attendees, time, and notification behavior.
Installing and configuring the skill may give the CLI ongoing access to connected calendar accounts until credentials are revoked.
The skill requires a PortEden API key or login session that can access calendar accounts. This credential use is disclosed and expected for Gmail, Outlook, and Exchange calendar management.
- **Browser login (recommended):** `porteden auth login` — opens browser, credentials stored in system keyring ... If `PE_API_KEY` is set in the environment, the CLI uses it automatically
Use the least-privileged account/profile available, protect PE_API_KEY, and revoke or remove stored credentials when the integration is no longer needed.
Future CLI versions could change behavior or permissions, especially when installed with the unpinned Go command.
The skill depends on an external CLI installed from Homebrew or Go, with the Go route using an unpinned '@latest' version. This is disclosed and central to the skill, but it means users rely on that external package source.
brew | formula: porteden/tap/porteden ... go | module: github.com/porteden/cli/cmd/porteden@latest
Prefer a trusted installation source and, where possible, pin or verify the CLI version before using it with calendar credentials.