iCloud Calendar — Full CRUD
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears purpose-aligned for iCloud Calendar management, but it requires iCloud calendar credentials and can modify or delete events.
Install only if you trust the skill with your iCloud calendar. Use an Apple app-specific password, secure your OpenClaw config file, review the script/dependency source, and use dry-run plus narrow search ranges before deleting events.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can access these credentials or the OpenClaw config could access or modify the user’s iCloud calendar.
The skill requires an iCloud account identifier and app-specific password, which grants delegated access to the user’s iCloud calendars.
"ICLOUD_EMAIL": "your-email@icloud.com", "ICLOUD_APP_PASSWORD": "xxxx-xxxx-xxxx-xxxx"
Use an Apple app-specific password, protect the OpenClaw config file permissions, and revoke the password if the skill is no longer used.
A mistaken or overly broad delete/update request could remove or change calendar events.
The skill exposes calendar mutation and deletion tools, including keyword-based deletion, but the behavior is disclosed and includes confirmation/dry-run guidance.
delete_event ... "This permanently deletes events. Run with DELETE_DRY_RUN=1 first to preview."
Preview deletions with DELETE_DRY_RUN=1, use narrow date ranges and keywords, and confirm destructive actions only after reviewing matches.
Users have less registry-level assurance about where the skill came from and must manually manage dependencies.
The package provenance is limited and installation relies on documentation rather than a declared install spec.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Review the included script before entering credentials and install dependencies from a trusted Python environment.
Local logs may retain limited calendar-related details on disk.
The script writes persistent local operation logs, and the docs state event titles/summaries are truncated rather than omitted.
LOG_DIR = Path(__file__).resolve().parent.parent / "logs"; LOG_FILE = LOG_DIR / "calendar.log"
Avoid sharing the skill directory without reviewing logs, and delete logs if they contain sensitive calendar context.