Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Email to Calendar Extraction Engine
v1.0.0Extract calendar events, deadlines, action items, and follow-ups from emails. Works with any calendar provider (Google, Outlook, Apple, Notion, etc.). No external dependencies — pure agent intelligence. Use when the user forwards an email, asks to check inbox for events, or wants to extract structured scheduling data from any text.
⭐ 0· 886·3 current·3 all-time
by@1kalin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to scan inboxes, parse ICS attachments, detect conflicts with existing calendars, create events across Google/Outlook/Apple/Notion, and send reminders — all actions that normally require explicit connectors, OAuth tokens, or CLI tools. Yet the registry metadata lists no required environment variables, no required binaries, no config paths, and no install steps. This mismatch is not explained by the README or SKILL.md and suggests the declared package metadata is incomplete or misleading.
Instruction Scope
SKILL.md explicitly tells the agent to 'check my inbox', parse attachments, 'use the user's calendar tool to create confirmed events', 'track deadlines and send reminders', and 'flag conflicts with existing calendar' — actions that involve reading and writing user data and potentially sending outbound messages. The instructions do not define how to obtain user consent, which credentials to use, which endpoints the agent should call, or any limits on data collection. That scope is broader than the package manifests claim.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so there is no installer writing arbitrary code to disk. That reduces install-time risk. The README references a 'clawhub install' example and external landing pages, but no download URLs or extract steps are present in the package itself.
Credentials
The skill requires access to email inboxes and calendars and references using 'gog' or APIs for calendar creation, yet requires.env and primary credential are empty. No OAuth client IDs, API tokens, mailbox access scopes, or config paths are declared. Requesting no credentials while instructing actions that need privileged access is disproportionate and incoherent.
Persistence & Privilege
The skill does not request always:true and does not declare system-wide changes. Autonomous invocation is allowed by default on the platform (normal). There is no evidence the skill attempts to persist credentials or modify other skills, but the missing auth-details noted above increase the operational ambiguity.
What to consider before installing
Do not install or enable this skill until the author clarifies how it will access your email and calendars. Ask for: (1) explicit list of required permissions/scopes (OAuth client IDs, tokens, or connector names), (2) which binaries or platform-provided connectors it expects (e.g., 'gog' CLI), (3) a clear description of where extracted data and reminders are stored or sent, and (4) a privacy/security policy for handling mailbox contents. If you proceed, grant the minimum scopes (read-only inbox access if only extraction, explicit calendar write scope only after review), test with a non-sensitive mailbox, and verify the skill does not transmit mailbox contents to unknown external endpoints. The current packaging is inconsistent — it needs clarification before it should be trusted.Like a lobster shell, security has layers — review code before you run it.
calendarvk9724qmnvvshztq5h933vvcbss812w4adeadlinesvk9724qmnvvshztq5h933vvcbss812w4aemailvk9724qmnvvshztq5h933vvcbss812w4aeventsvk9724qmnvvshztq5h933vvcbss812w4alatestvk9724qmnvvshztq5h933vvcbss812w4aproductivityvk9724qmnvvshztq5h933vvcbss812w4aschedulingvk9724qmnvvshztq5h933vvcbss812w4atravelvk9724qmnvvshztq5h933vvcbss812w4a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.