Skylight
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its Skylight calendar purpose, but its login instructions request sensitive account credentials and include unexplained marketing/text opt-in fields.
Review the authentication instructions before installing. If you use it, avoid the proxy-token method unless necessary, protect your Skylight password/token, and do not run the provided login payload unless you are comfortable with or have removed the marketing/text opt-in fields.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the provided login command could send marketing/text opt-in values the user did not explicitly approve.
These consent- or marketing-related fields are included in the login request used to generate an auth token, but the skill does not explain why they are necessary for calendar access.
"textMeTheApp": "true", "agreedToMarketing": "true"
Remove these fields, set them to false, or document and request explicit user consent before sending them.
Anyone with these environment variables or token could access or modify the user's Skylight household data.
The skill needs either the user's Skylight password or a full session authorization header to call the Skylight API.
`SKYLIGHT_EMAIL`: Your Skylight account email - `SKYLIGHT_PASSWORD`: Your Skylight account password Option B - Pre-captured token: - `SKYLIGHT_TOKEN`: Full Authorization header value
Store credentials carefully, avoid sharing logs or shell history containing tokens, and rotate or recapture the token if exposed.
A trusted proxy certificate and captured session token are sensitive; if mishandled, they can expose account traffic or account access.
The optional token-capture method asks the user to intercept HTTPS traffic and extract an Authorization header.
Install Proxyman/Charles/mitmproxy and trust root certificate ... Enable SSL proxying for `app.ourskylight.com` ... Copy `Authorization` header value
Prefer the normal login method when possible, limit proxying to the Skylight domain, remove the proxy root certificate afterward, and protect captured tokens.
If used incorrectly, the agent could create or change chores, task box items, or other household data.
The skill documents raw API calls that can create or manage Skylight household items.
curl -s -X POST "$SKYLIGHT_URL/api/frames/$SKYLIGHT_FRAME_ID/chores"
Use the skill only for requested Skylight changes and confirm details before running write operations.