ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Calendar Query

Query Matt's calendars with the gog CLI. Always prioritize the Flowcode work calendar (matt.williams@flowcode.com) and include personal calendar (williams.e....

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 44 · 1 current installs · 1 all-time installs
byMatt Williams@williamsmatt
MIT-0
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name and description say it will query calendars using the 'gog' CLI and prioritize two specific calendar accounts, which is consistent with the stated purpose. However, the skill metadata lists no required binaries, no primary credential, and no config paths even though the runtime instructions explicitly require the 'gog' CLI and assume it is authenticated as ferdi.bot.matt@gmail.com. This mismatch (declaring no dependencies while requiring a CLI and authenticated account) is incoherent and should be clarified.
!
Instruction Scope
SKILL.md instructs the agent to run concrete 'gog calendar events' commands against two specific email-address calendars (work and personal) and to merge results. That behavior is in-scope for a calendar-query skill. The concern is that it explicitly instructs use of an account (ferdi.bot.matt@gmail.com) and to surface personal calendar details (williams.e.matt@gmail.com) without documenting how those credentials/authorizations are provided or whether the user consents to exposing personal calendar contents. This is a privacy and authorization gap.
Install Mechanism
There is no install spec (instruction-only), which is low-risk from a code installation standpoint. However, the runtime plainly requires the 'gog' CLI to be present and authenticated — yet the manifest doesn't declare that binary as required. The lack of a declared dependency means the consumer may not realize the environment must provide and authorize that CLI beforehand.
!
Credentials
The skill accesses potentially sensitive personal data (a work calendar and a personal Gmail calendar) but declares no credentials, no env vars, and no config paths. It assumes a pre-authenticated bot account is available. Requesting access to both work and personal calendars is reasonable for a calendar skill, but the absence of explicit credential/config requirements and the inclusion of full email addresses in the instructions are disproportionate without an explanation of how access is provisioned and consented to.
Persistence & Privilege
The skill does not request permanent presence (always:false), does not include an install script, and does not claim to modify other skills or global agent settings. It does not request elevated system privileges in the manifest.
What to consider before installing
This skill will run 'gog' CLI commands to read two specific calendars (work and personal). Before installing or enabling it: 1) Confirm whether your agent environment actually has the 'gog' binary installed and authenticated as the named bot (ferdi.bot.matt@gmail.com). The manifest currently fails to declare that dependency. 2) Decide whether you want a skill that can read both a work and a personal calendar—this exposes personal schedule details; if not, request a version limited to the work calendar only. 3) Ask the skill author to declare required binaries and how authentication is supplied (env vars, config path, or interactive auth) and to document consent/ownership of the calendars referenced. 4) If you don't control or trust the pre-authenticated account, do not enable the skill because it could leak private calendar data. 5) If you proceed, run the skill in a controlled environment first and verify the exact commands it executes and the outputs it returns.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk976jnfdb00vyems410v9r2vh183dq0t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Calendar Query Skill

Use the gog CLI (already authenticated as ferdi.bot.matt@gmail.com) to read Matt's calendars. Always follow this order:

  1. Work calendar firstmatt.williams@flowcode.com
  2. Personal calendar as asidewilliams.e.matt@gmail.com (summaries, FYIs)

Commands

List events for a specific day

gog calendar events <calendar_id> --from "YYYY-MM-DDT00:00:00" --to "YYYY-MM-DDT23:59:59"
  • Example (work calendar tomorrow):
gog calendar events matt.williams@flowcode.com --from "2026-03-18T00:00:00" --to "2026-03-18T23:59:59"

Relative ranges

  • --tomorrow, --today, --days N, --week
  • Example: next 7 days on personal calendar
gog calendar events williams.e.matt@gmail.com --days 7

Keyword search

gog calendar events <calendar_id> --query "keyword" --from <start> --to <end>

Use for finding Bulls games, travel, etc.

Multiple calendars at once

Use separate commands per calendar and merge results in your reply.

Response Pattern

  1. Summarize work calendar events chronologically (time + title + context).
  2. Add personal calendar notes afterward if relevant ("On personal calendar: ...").
  3. Mention all-day events clearly.

Tips

  • Use ISO timestamps; --from/--to are required for single-day accuracy.
  • For afternoon-specific questions, query narrowed windows (--from "2026-03-24T12:00:00").
  • When unsure about date, confirm with the user.
  • If gog errors, include the error message and suggest retrying or re-authenticating.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…