ClawHub

Cal.com

v1.0.0

Interact with the Cal.com API v2 to manage scheduling, bookings, event types, availability, and calendars. Use this skill when building integrations that nee...

0· 602·0 current·0 all-time
byPeer Richelsen@peerrich
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and the SKILL.md content consistently describe Cal.com API v2 endpoints for bookings, slots, schedules, calendars, webhooks and event types — that purpose matches the provided request examples and reference docs. However, the skill metadata declares no required credentials or primary credential, while the runtime documentation explicitly requires a Bearer API key (cal_... ) and documents OAuth headers (x-cal-client-id, x-cal-secret-key) for platform integrations; those credentials are necessary for the stated purpose but are not declared in the skill requirements.
Instruction Scope
All instructions are scoped to calling Cal.com API endpoints and configuring webhooks; they do not instruct reading arbitrary files or system state. Example snippets reference storing/reading API keys and webhook secrets from environment variables (process.env, export CAL_API_KEY) but the skill does not declare these env vars as required — the instructions stay within API domain but assume access to secrets that the registry metadata omits.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to execute. That minimizes installation risk because nothing is downloaded or written to disk.
!
Credentials
The SKILL.md and reference files plainly expect API keys (Bearer cal_...), and optionally OAuth client id/secret and webhook HMAC secret for signature verification, yet the skill metadata lists no required env vars or primary credential. Requiring (or assuming) multiple secrets without declaring them is disproportionate and a visibility issue: users won't be prompted to provide the necessary credentials or warned about what will be used.
Persistence & Privilege
The skill does not request persistent inclusion (always:false), does not include installation steps that modify other skills or system settings, and contains no code that would run autonomously outside normal agent invocation.
What to consider before installing
This skill appears to be correct documentation for the Cal.com API, but it omits declaring the credentials it expects. Before installing: 1) verify the skill's provenance (source is unknown) and that you trust it to handle your Cal.com credentials; 2) expect to provide a Cal.com API key (Bearer cal_...), and possibly OAuth client id/secret and a webhook secret — the registry should have declared these; 3) do not paste production API keys into chat or expose them in client-side code; store them in a secure environment variable and limit scopes/permissions where possible; 4) if you plan to use webhooks, ensure your webhook secret is managed securely and that signature verification is implemented on your endpoint; 5) ask the publisher (or registry owner) to update the skill metadata to list required env vars (e.g., CAL_API_KEY, X_CAL_CLIENT_ID, X_CAL_SECRET_KEY, WEBHOOK_SECRET) so you can make an informed install decision.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bp58t7wchcbxswwagt10aqn81crj3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments