iCloud Calendar
v1.0.0从自然语言创建 iPhone 日历事件。触发词:日程、提醒、会议、安排、约、见、开、聚、飞、餐。写入 iCloud 日历,iPhone 自动同步。
⭐ 0· 5·0 current·0 all-time
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (create/read/update/delete iCloud calendar events) matches the included script's behavior. However registry metadata lists no required environment variables or primary credential, while SKILL.md and CONFIG.md require ICLOUD_EMAIL and ICLOUD_APP_PASSWORD — a clear mismatch. The script also requires the Python 'caldav' package but the skill metadata doesn't declare this dependency.
Instruction Scope
SKILL.md instructs the agent to run the included Python script with the user's iCloud email and app-specific password and to perform queries, creation, updates and deletions. The instructions explicitly state that modifications/deletions happen without prompting the user ('直接修改/删除,不重复确认'), which grants the agent permission to perform destructive changes autonomously. The scope (reading and writing calendar data) is appropriate, but automatic destructive behavior without confirmation is a risky design choice.
Install Mechanism
This is an instruction-only skill with an included Python script but no install spec. The script imports the third-party 'caldav' library and expects it to be present; there is no guidance to install that package or pin a version. That omission will cause runtime failures or hidden dependency installation by an operator. No external downloads are present, which lowers some risk, but missing dependency declarations are a practical and security-relevant gap.
Credentials
The script legitimately requires ICLOUD_EMAIL and ICLOUD_APP_PASSWORD (an app-specific password) to access the user's iCloud CalDAV endpoint — these credentials are proportional to the stated purpose. However, the registry metadata omits these required env vars, and CONFIG.md suggests storing the app password in openclaw.json (or even hardcoding) which is insecure. Also, the script disables SSL verification (ssl_verify_cert=False), weakening transport security and increasing risk of credential interception.
Persistence & Privilege
always:false (good) but the skill allows autonomous invocation (default). Combined with the SKILL.md instruction that updates/deletes occur without confirmation and the script's ability to delete events across date ranges and calendars, this gives the agent potentially harmful destructive power. There is no built-in confirmation or safety guard for destructive operations.
What to consider before installing
Before installing, consider the following:
- The skill does need your iCloud account email and an Apple app-specific password to work; do not provide your main Apple ID password. The registry metadata currently does not declare these required env vars — expect to set ICLOUD_EMAIL and ICLOUD_APP_PASSWORD in your agent config.
- The included script uses the third-party Python package 'caldav' but the skill does not declare or install it. Ensure you install a vetted version (e.g., pip install caldav) in a controlled environment and review the package's source/versions.
- The script disables TLS certificate verification (ssl_verify_cert=False). This weakens network security and could permit MITM attacks that expose your credentials. Prefer a version that verifies TLS or modify the code to enable verification.
- The skill will modify and delete calendar events without asking the user (SKILL.md: no repeated confirmation). If you install it, test first with a throwaway iCloud account and the --list-calendars and query modes. Avoid giving it access to your primary calendar until you're confident.
- Do not hardcode credentials into SKILL.md or files. Store the app-specific password in secure agent secrets storage (if available) and rotate the app password if you stop using the skill.
- Recommended fixes for the author/maintainer: declare required env vars in registry metadata, add explicit dependency/install instructions for the 'caldav' package (with pinned versions), remove or make TLS verification configurable (default to true), add interactive confirmations or a safe-mode for destructive operations, and document least-privilege usage (e.g., recommend a separate iCloud account or calendar for testing).
Given these inconsistencies and risky defaults, treat the skill as suspicious and only proceed after addressing the items above or testing in a non-production account.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📅 Clawdis
Binspython
SKILL.md
日历事件创建
用户发送含时间+事件的消息时,解析并写入 iCloud 日历。
解析规则
从消息中提取字段,未提及的按推断规则补全。
1. 标题 (summary)
从消息中提取事件核心,去掉时间词和口癖:
- "下周三下午3点和张总开会" → "和张总开会"
- "明天记得交报告" → "交报告"
- "周五晚上聚餐" → "聚餐"
2. 开始时间 (start)
必填。相对日期→绝对日期计算(Asia/Shanghai):
- 今天/明天/后天/大后天 → 对应日期
- 下周一~下周日 → 下周对应星期几
- 时间:"下午3点"→15:00 "上午九点半"→09:30 "晚上8点"→20:00
- 无具体时间 → 默认 09:00
3. 结束时间 (end)
永远不问用户,按事件类型推断时长:
- 会议/汇报/评审/面试 → 1小时
- 聚餐/饭局/火锅/吃饭 → 2小时
- 运动/健身/游泳/打球 → 1.5小时
- 电影 → 2.5小时
- 培训/课程/讲座 → 2小时
- 飞机/高铁/火车 → 3小时(暂定,后期可查航班)
- 全天 → 00:00~23:59
- 兜底 → 1小时
- 用户说了结束时间 → 用用户的
4. 日历选择 (calendar)
按事件性质自动选:
- 含"开会/汇报/评审/客户/项目/出差/面试"关键词 → 工作
- 其他 → 个人
可用日历:个人、工作
5. 地点 (location)
提及则提取:"在301会议室"→"301会议室" "去北京出差"→"北京" 未提及 → 空
6. 提醒 (alarm)
- 用户说"提醒我" → 开始前15分钟
- 用户说具体时间"提前10分钟" → 用指定时间
- 未提及 → 开始前15分钟(默认)
7. 备注 (description)
收集额外信息:参与者、特殊要求等。"和张总一起" → 备注写"参与者:张总"
执行(创建事件)
python {baseDir}/scripts/add-event.py \
--email "$ICLOUD_EMAIL" \
--password "$ICLOUD_APP_PASSWORD" \
--summary "标题" \
--start "2026-04-08T15:00:00" \
--end "2026-04-08T16:00:00" \
--timezone "Asia/Shanghai" \
--location "" \
--calendar "个人" \
--description "" \
--alarm-minutes 15
环境变量:ICLOUD_EMAIL, ICLOUD_APP_PASSWORD(通过 skills.entries.calendar-add.env 配置)
查询(反向查日历)
用户问"我明天有什么安排""这周日程""4月8号有什么"时:
python {baseDir}/scripts/add-event.py \
--email "$ICLOUD_EMAIL" \
--password "$ICLOUD_APP_PASSWORD" \
--query "today|tomorrow|week|nextweek|YYYY-MM-DD|YYYY-MM-DD~YYYY-MM-DD"
query 值:
- today / tomorrow / week / nextweek
- 单日:2026-04-08
- 范围:2026-04-01~2026-04-30
查询结果整理为简洁列表回复用户。
回复格式
创建成功:
📅 已记录:和张总开会
🕐 4月8日 周三 15:00-16:00(工作日历)
📍 301会议室
查询结果:
📅 明天(4月2日)有 3 个安排:
1. 10:00-11:00 日历功能测试(个人)
2. 14:00-15:00 项目评审(工作)
3. 全天 ios退款请加扣扣群...(工作)
失败:
❌ 写入失败:{原因}
删除(按关键词)
用户说"删掉xxx相关的""删除垃圾事件"时,用 --delete 按关键词匹配 summary 和 location:
python {baseDir}/scripts/add-event.py \
--email "$ICLOUD_EMAIL" \
--password "$ICLOUD_APP_PASSWORD" \
--delete "关键词" \
[--delete-start "2026-01-01"] \
[--delete-end "2026-12-31"]
--delete:必填,关键词(模糊匹配,不区分大小写)--delete-start/--delete-end:可选,限定搜索范围,默认搜索所有日期- 返回
{"deleted": [...], "count": N}
示例:
# 删除所有包含"退款"的事件
python add-event.py --email xxx --password xxx --delete "退款"
# 删除2026年3月之前的所有垃圾
python add-event.py --email xxx --password xxx --delete "广告" --delete-end "2026-03-01"
修改事件
用户说"改到4点""换到工作日历""地点改成301"时,用 --update-find 定位事件 + --update-set-* 修改字段:
python {baseDir}/scripts/add-event.py \
--email "$ICLOUD_EMAIL" \
--password "$ICLOUD_APP_PASSWORD" \
--update-find "关键词" \
[--update-set-summary "新标题"] \
[--update-set-start "2026-04-08T16:00:00"] \
[--update-set-end "2026-04-08T17:00:00"] \
[--update-set-location "新地点"] \
[--update-set-calendar "工作"] \
[--update-start "2026-04-01"] \
[--update-end "2026-04-30"]
--update-find:必填,按关键词匹配 summary(不区分大小写)--update-set-*:要修改的字段,不传的保持不变--update-set-location "__CLEAR__":清除地点--update-set-calendar:移到另一个日历(个人/工作)--update-start/--update-end:限定搜索范围- 匹配到多个事件时会报错并列出所有匹配项,让用户更精确指定
- 返回
{"updated": true, "changes": {...}}
示例:
# 把"和张总开会"改到下午4点
python add-event.py --email xxx --password xxx --update-find "张总开会" --update-set-start "2026-04-08T16:00:00" --update-set-end "2026-04-08T17:00:00"
# 换到工作日历
python add-event.py --email xxx --password xxx --update-find "项目评审" --update-set-calendar "工作"
修正
用户说"改成4点""换到工作日历""取消"→ 直接修改/删除,不重复确认。
Files
3 totalSelect a file
Select a file to preview.
Comments
Loading comments…