ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Calendar Reminders (gcalcli + CalDAV)

Provides a config-driven wrapper around gcalcli plus optional CalDAV integration to generate JSON reminder plans for scheduling one-shot OpenClaw reminders.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.5k · 7 current installs · 7 all-time installs
by@adorostkar
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description describe a gcalcli + CalDAV reminder planner and the included Python script and example config implement that. One minor incoherence: the registry metadata claims no required binaries, but SKILL.md and the script clearly expect python3 and gcalcli (and optionally khal/vdirsyncer). This appears to be an omission in metadata rather than malicious behavior.
Instruction Scope
Runtime instructions and the script only read a user config (~/.config/openclaw/calendar.json or path set by OPENCLAW_CALENDAR_CONFIG), optionally read a state file under ~/.local/state, and call gcalcli/khal/vdirsyncer to collect events. The skill does not try to read unrelated system files, request unrelated env vars, or post data to remote endpoints. Subprocess calls use argument lists (no shell=True), which the README notes and the code uses.
Install Mechanism
There is no install spec (instruction-only + included script). Nothing is downloaded or written by an installer in the bundle. Risk is limited to executing the included Python script and whatever user-installed calendar tools (gcalcli/khal/vdirsyncer) do.
Credentials
The skill does not request secrets directly; it relies on local gcalcli OAuth credentials and any CalDAV credentials the user has configured. This is proportionate to its purpose, but users should be aware that gcalcli/khal will use stored OAuth/CalDAV credentials — the skill itself will inherit environment variables and will run external binaries, so ensure those clients' credentials are stored securely and that you point gcalcliPath/khalBin to trusted absolute paths.
Persistence & Privilege
The skill is not always-enabled and does not request elevated privileges. It is intended to be invoked by a cron job or agent run; it may read or write a small state file under the user's home directory (expected behavior to avoid duplicate reminders). It does not attempt to modify other skills or system-wide configuration.
Assessment
This skill appears to do what it says: it reads your calendar tools (gcalcli and optionally khal/vdirsyncer) and emits a JSON plan of one-shot reminders. Before installing/using it: 1) Confirm the registry metadata omission — ensure you have python3, gcalcli (and khal/vdirsyncer if you enable CalDAV) installed and configured. 2) Verify gcalcli/khal are trusted binaries (use absolute paths in config) so the script does not end up executing an unexpected program. 3) Understand that OAuth/CalDAV credentials are handled by those clients — the skill will inherit whatever local credentials they use, so keep those credentials private. 4) Review where the state file will live (default ~/.local/state/openclaw/calendar-reminders-state.json) and who can read/write it. 5) If you wire a cron job to run vdirsyncer, run it as an argv list (no shell string) as advised in the SKILL.md to avoid shell-injection risk. If you want higher assurance, inspect the remainder of the included script (the truncated portion) to confirm it doesn't write unexpected network calls or state outside the declared paths.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.1
Download zip
latestvk973n30m8q6grdfxg068tn1zjx81ff24

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

gcalcli calendar wrapper + reminder planner

This skill provides:

  • scripts/calendar — wrapper around gcalcli
  • scripts/calendar_reminder_plan.py — produces a JSON plan for reminder scheduling
  • references/openclaw-calendar.example.json — example config format

Config

Copy the example config to a private location and edit it:

  • Default path: ~/.config/openclaw/calendar.json
  • Override with env: OPENCLAW_CALENDAR_CONFIG=/path/to/calendar.json

Requirements

  • Required: python3, gcalcli
  • Optional (for CalDAV/iCloud): vdirsyncer, khal

Security notes (why ClawHub may flag this)

This skill invokes external binaries and is config-driven.

  • The planner runs gcalcli/khal using subprocess.check_output([...], shell=False) (argument-list form; safe against shell injection from event titles).
  • If you wire a cron job to run vdirsyncerSyncCommand, make sure you run it as an argv list (subprocess.run(cmd_list, shell=False)), not as a shell string.
  • Only point gcalcliPath / khalBin to trusted binaries (prefer absolute paths). Don’t run untrusted paths.

Auth (Google)

gcalcli requires OAuth. On headless servers you may need SSH port-forwarding. The wrapper uses --noauth_local_server to print instructions.

Reminder planning

The planner outputs a JSON blob describing reminders to schedule. A separate cron job (or an agent turn) can read it and create one-shot OpenClaw reminders.

Defaults:

  • Ignore birthdays.
  • Timed events are considered important.
  • All-day events only trigger reminders if their title matches configured keywords.

Wiring a daily reminder scheduler (OpenClaw)

Create a daily cron job (e.g. 00:05 local time) that:

  1. If CalDAV is enabled in config, runs the configured vdirsyncer sync command.
  2. Runs scripts/calendar_reminder_plan.py to get a JSON plan.
  3. For each planned reminder, creates a one-shot OpenClaw systemEvent reminder at reminderAtUtc.
  4. Writes a small state file so you don’t schedule duplicates.

(Our skill intentionally provides the wrapper + planner; scheduling is left to your cron/agent wiring.)

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…