Calendar Crab
Google Calendar CLI — list, create, move, and delete events. Zero dependencies, just Node.js + Google OAuth.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 88 · 0 current installs · 0 all-time installs
by@clawbob
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name, description, README, SKILL.md, and the single JS file all implement a Google Calendar CLI (list/create/move/delete) using Google OAuth and the Calendar REST API. The functionality requested (OAuth client_id/client_secret/refresh_token) is appropriate for the stated purpose.
Instruction Scope
Runtime instructions and the script restrict actions to Google OAuth/token refresh and Calendar API calls. The SKILL.md does not instruct the agent to read unrelated files or transmit data to non-Google endpoints. The script exclusively contacts oauth2.googleapis.com and www.googleapis.com.
Install Mechanism
No install spec (instruction-only) and the included code is a single Node.js script. Nothing is downloaded from arbitrary URLs or installed automatically; risk from install mechanism is low.
Credentials
The metadata declares no required env vars or config paths, but SKILL.md and the code require a secrets directory (CALENDAR_CRAB_SECRETS defaulting to ~/.openclaw/secrets) containing the OAuth JSON files and will write refreshed tokens back to that path. This discrepancy (undeclared required config path/credentials) is a coherence gap and increases risk if users expect no local credential files to be accessed or modified.
Persistence & Privilege
always is false and the skill does not request system-wide changes or modify other skills. It does write updated tokens back into its own secrets file (normal for OAuth clients). Note that autonomous invocation is allowed by default — if you permit the agent to invoke skills autonomously it can access the calendar whenever it runs.
What to consider before installing
This skill appears to be a straightforward Google Calendar CLI whose code touches only Google endpoints, but there are a few things to consider before installing:
- Metadata mismatch: The registry entry lists no required env vars or config paths, yet SKILL.md and the script require OAuth credentials and a refresh token saved under a secrets directory (CALENDAR_CRAB_SECRETS, default ~/.openclaw/secrets). Confirm you are comfortable placing client_id/client_secret and a refresh_token there and that the path does not contain unrelated secrets.
- Secrets handling: The script will read and overwrite the token file (it auto-refreshes access tokens and writes them back). Ensure the secrets directory has tight filesystem permissions (restrict to your user), and consider using a dedicated Google project and credentials with the narrowest scopes possible.
- Source provenance: The skill's Source/Homepage is unknown. If you plan to install, review the full calendar-crab.js yourself (it is included) or run it in an isolated environment first. Verify the OAuth endpoints are oauth2.googleapis.com and www.googleapis.com (they are in the code) and that there are no hidden exfiltration endpoints.
- Least privilege & rotation: Use a dedicated OAuth client and refresh token for this tool, and be prepared to revoke/rotate the token if you stop using the skill.
If you want to proceed, verify and create the secrets files as documented, inspect the JS file locally, and run it in a controlled environment. If you prefer, ask the maintainer for a repository/homepage and signed release to increase confidence.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download zipcalendargooglelatestproductivity
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Calendar Crab
Google Calendar management via a single Node.js script. No npm install needed.
Prerequisites
- Node.js 18+
- Google Cloud project with Calendar API enabled
- OAuth credentials + refresh token saved to
~/.openclaw/secrets/(see Setup below)
Commands
List upcoming events
node calendar-crab.js list --days=7 --max=20
Create an event
node calendar-crab.js create \
--title="Team Sync" \
--date=2026-03-20 \
--time=10:00 \
--duration=30 \
--location="Zoom" \
--attendees="alice@co.com,bob@co.com" \
--description="Weekly sync" \
--tz="America/Los_Angeles"
Move an event
# By date + time
node calendar-crab.js move --date=2026-03-20 --from=10:00 --to=14:00
# By event ID
node calendar-crab.js move --id="EVENT_ID" --to="2026-03-20T14:00:00-07:00"
Delete an event
node calendar-crab.js delete --id="EVENT_ID"
node calendar-crab.js delete --date=2026-03-20 --time=10:00
Configuration
| Env var | Default | Description |
|---|---|---|
CALENDAR_CRAB_SECRETS | ~/.openclaw/secrets | Directory containing OAuth + token JSON files |
CALENDAR_CRAB_TZ | System local | Default timezone for events |
CALENDAR_CRAB_CALENDAR | primary | Google Calendar ID |
Timezone can also be set per-command with --tz=America/Los_Angeles.
Execution rules
- Always
listfirst to verify the target event exists and is unique. moveanddeleteauto-notify all attendees (sendUpdates=all).- On failure, the raw Google API error is returned for debugging.
Setup
- Go to Google Cloud Console and create a project.
- Enable the Google Calendar API.
- Create OAuth 2.0 credentials (Desktop app type).
- Save the credentials as
~/.openclaw/secrets/google-calendar-oauth.json:{ "client_id": "YOUR_CLIENT_ID", "client_secret": "YOUR_CLIENT_SECRET" } - Obtain a refresh token via the OAuth flow and save as
~/.openclaw/secrets/google-calendar-token.json:
The script auto-refreshes the access token using the refresh token.{ "refresh_token": "YOUR_REFRESH_TOKEN", "access_token": "", "expires_in": 0, "obtained_at": "" }
Files
3 totalSelect a file
Select a file to preview.
Comments
Loading comments…