ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Google Calendar

Interact with Google Calendar via the Google Calendar API – list upcoming events, create new events, update or delete them. Use this skill when you need programmatic access to your calendar from OpenClaw.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
11 · 10.9k · 91 current installs · 91 all-time installs
byAdrian Miller@AdrianMiller99
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The stated purpose (Google Calendar API access) matches the included code in general, but required credentials and runtime expectations differ between SKILL.md and the scripts. SKILL.md describes using CLIENT_ID/CLIENT_SECRET/REFRESH_TOKEN and storing secrets via openclaw, while the primary script (scripts/google_calendar.py) expects an environment variable GOOGLE_ACCESS_TOKEN (and optionally GOOGLE_CALENDAR_IDS). This mismatch means the declared setup doesn't actually meet the code's runtime requirements without extra steps.
!
Instruction Scope
SKILL.md's setup instructions reference a module invocation (python3 -m google_calendar.auth) and recommend installing google-auth libraries, but the repository provides scripts named refresh_token.py and google_calendar.py (no google_calendar.auth module) and the scripts use only the standard library (urllib). The README also tells users to store secrets via openclaw secret set, but the refresh_token script writes an access token into ~/.config/google-calendar/secrets.env — a different storage mechanism. These inconsistencies broaden the agent's runtime discretion and could lead to unexpected file writes.
Install Mechanism
No install spec is provided (instruction-only), which is lower risk. The package includes two small Python scripts (no external downloads). There is an incidental pyvenv.cfg file pointing at a user/home path and an openclaw skills path (likely a leftover build artifact) — harmless technically but it leaks a build path and suggests the repository may contain local artifacts.
!
Credentials
SKILL.md asks for CLIENT_ID, CLIENT_SECRET, REFRESH_TOKEN, and GOOGLE_CALENDAR_ID (reasonable for OAuth flows). The runtime code, however, expects GOOGLE_ACCESS_TOKEN (and supports GOOGLE_CALENDAR_IDS). The refresh_token script does require client id/secret/refresh token and exchanges them for an access token, but it persists the access token to ~/.config/google-calendar/secrets.env rather than returning it or storing it where openclaw secrets would. Persisting access tokens to a file in a user's home directory is a disproportionate and unexpected persistence of secrets compared with the SKILL.md's guidance to store secrets in openclaw.
!
Persistence & Privilege
The refresh_token.py script writes (and overwrites) ~/.config/google-calendar/secrets.env with an exported GOOGLE_ACCESS_TOKEN line. That creates on-disk persistence of a credential in the user's home directory and can be unexpected given the README's instruction to use openclaw secret storage. The skill does not request always: true and does not attempt to modify other skills, but the filesystem write is a persistent side effect worth noting.
What to consider before installing
Do not install blindly. Things to verify before using this skill: - Fix the env-var mismatch: the README expects a refresh-token flow but the main script expects GOOGLE_ACCESS_TOKEN at runtime. Decide which approach you want and update the docs/code accordingly. - Confirm how refresh tokens and access tokens are obtained and stored. The included refresh_token.py will write an access token to ~/.config/google-calendar/secrets.env; if you don't want tokens persisted to disk, do not run it or modify it to store secrets in your secret store instead. - The README suggests running python3 -m google_calendar.auth, but no such module exists. Confirm the correct helper to perform OAuth authorization and how to obtain an initial refresh token. - Inspect the scripts locally (they are short) and, if you still want to use them, run them in a restricted environment (non-privileged account) and prefer using your platform's secret storage rather than allowing the script to write credentials to your home directory. - The pyvenv.cfg file reveals a user/build path; that is not harmful by itself but indicates leftover artifacts — ask the publisher for a clean release or for source provenance (who maintains this skill?). If you cannot get clear answers from the skill author (or the README is corrected to align with the code), treat this skill as suspicious and avoid granting it real Google credentials.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk974ssbjy3yv8ms0accztps349809z11

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Google Calendar Skill

Overview

This skill provides a thin wrapper around the Google Calendar REST API. It lets you:

  • list upcoming events (optionally filtered by time range or query)
  • add a new event with title, start/end time, description, location, and attendees
  • update an existing event by its ID
  • delete an event by its ID

The skill is implemented in Python (scripts/google_calendar.py). It expects the following environment variables to be set (you can store them securely with openclaw secret set):

GOOGLE_CLIENT_ID=…
GOOGLE_CLIENT_SECRET=…
GOOGLE_REFRESH_TOKEN=…   # obtained after OAuth consent
GOOGLE_CALENDAR_ID=primary   # or the ID of a specific calendar

The first time you run the skill you may need to perform an OAuth flow to obtain a refresh token – see the Setup section below.

Commands

google-calendar list [--from <ISO> --to <ISO> --max <N>]
google-calendar add   --title <title> [--start <ISO> --end <ISO>]
                     [--desc <description> --location <loc> --attendees <email1,email2>]
google-calendar update --event-id <id> [--title <title> ... other fields]
google-calendar delete --event-id <id>

All commands return a JSON payload printed to stdout. Errors are printed to stderr and cause a non‑zero exit code.

Setup

  1. Create a Google Cloud project and enable the Google Calendar API.
  2. Create OAuth credentials (type Desktop app). Note the client_id and client_secret.
  3. Run the helper script to obtain a refresh token: 
    GOOGLE_CLIENT_ID=… GOOGLE_CLIENT_SECRET=… python3 -m google_calendar.auth
    It will open a browser (or print a URL you can open elsewhere) and ask you to grant access. After you approve, copy the refresh_token it prints.
  4. Store the credentials securely: 
    openclaw secret set GOOGLE_CLIENT_ID <value>
openclaw secret set GOOGLE_CLIENT_SECRET <value>
openclaw secret set GOOGLE_REFRESH_TOKEN <value>
openclaw secret set GOOGLE_CALENDAR_ID primary   # optional
  5. Install the required Python packages (once): 
    pip install --user google-auth google-auth-oauthlib google-api-python-client

How it works (brief)

The script loads the credentials from the environment, refreshes the access token using the refresh token, builds a service = build('calendar', 'v3', credentials=creds), and then calls the appropriate API method.

References

Note: This skill does not require a GUI; it works entirely via HTTP calls, so it is suitable for headless servers.

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…