ClawHub

iCalendar Sync

v2.4.1

Secure iCloud Calendar operations for OpenClaw with CalDAV and macOS native bridge providers. Use when tasks require calendar listing, event retrieval, event...

3· 2.4k·4 current·4 all-time
by@h8kxrfp68z-lgtm
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, CLI instructions, code, and dependencies align: the package implements CalDAV and a macOS native bridge and depends on caldav, icalendar, requests and keyring which are appropriate. Minor inconsistency: the top-level registry 'Requirements' block reported no required env vars, but the code, README, skill.yaml and SKILL.md clearly document ICLOUD_USERNAME/ICLOUD_APP_PASSWORD (or keyring/config alternatives) as the credential inputs needed for CalDAV mode. Also the registry metadata claimed 'instruction-only' yet multiple source files and an install.sh are present (no automated install spec, but substantive code exists).
Instruction Scope
SKILL.md instructs only calendar-related actions (list/get/create/update/delete) and credential setup via keyring/env/config file. It documents input validation, file size limits, and safety rules. It does permit reading JSON payload files and an explicit YAML credential file (both bounded by size checks). Nothing in SKILL.md instructs reading unrelated system secrets or contacting unknown external endpoints; debug options allow additional HTTP output but the docs say credentials will be redacted.
Install Mechanism
There is no platform install spec in the registry, but an included install.sh copies files to ~/.openclaw/skills and installs Python dependencies from PyPI (requirements.txt). Installing via the provided script will run pip to fetch public packages (caldav, requests, keyring, etc.) — a normal approach but it executes network installs and writes to the user's home directory. The install source URLs are standard (PyPI) and not remote arbitrary binaries; no suspicious download URLs were observed.
Credentials
The skill legitimately needs iCloud credentials (App-Specific Password and username) for CalDAV. It does not request unrelated third‑party credentials. However, registry metadata at the top reported 'required env vars: none' while docfiles and skill.yaml enumerate ICLOUD_USERNAME, ICLOUD_APP_PASSWORD and several ICALENDAR_SYNC_* variables — this mismatch could lead to silent misconfiguration if a user relies solely on registry summaries. File-based credential storage is supported (and documented) with recommended 0600 permissions; that increases attack surface if not used carefully.
Persistence & Privilege
always:false (default) and there is no evidence the skill tries to force-enable itself across agents or modify other skills. The install script writes files into a user-controlled ~/.openclaw/skills directory and creates a CLI wrapper in ~/.local/bin, which are expected behaviors for a user-installed skill. No privileged system changes or cross-skill config modifications were observed.
Assessment
This skill is coherent with its stated purpose, but review these points before installing: - Credentials: The skill requires an iCloud username and an App‑Specific Password for CalDAV. Prefer keyring storage as documented; if you use file-based config, ensure the file is created with strict permissions (0600) and store it on a secure path. Note the registry summary omitted required env vars — don't rely only on the brief metadata. - Source & provenance: The skill's source/homepage is unknown in the registry summary. If you plan to install, prefer obtaining the package from a trusted repository or verify the included source files (especially calendar.py and install.sh) locally before running the installer. - Installer behavior: install.sh will run pip install -r requirements.txt and copy code into ~/.openclaw/skills and create a CLI in ~/.local/bin. Review the script and ensure your environment is the intended one (e.g., a virtualenv or isolated container) before running it. - Subprocess usage / macOS bridge: The implementation imports subprocess and implements a macOS-native provider. That justifies subprocess usage (e.g., osascript/AppleScript) but also means careful input sanitization is important. If you rely on the macOS provider, validate that inputs you provide (calendar names, recurrence IDs, JSON fields) cannot be used to inject commands; the project documents input validation, but you may want to spot-check the code paths that call subprocess. - Logging & debug: The tool supports debug HTTP output and a custom User-Agent. Avoid enabling verbose debug in production environments where logs may be forwarded to third parties; verify that logs are indeed redacting sensitive fields as claimed. - Sandbox & least privilege: If you want an extra safety margin, install and run the skill in an isolated environment (container or dedicated VM) or under a user account with minimal privileges. If you want, I can scan the rest of calendar.py (the truncated part) for any direct subprocess.invoke or network calls that use user-provided strings, and point to the exact lines to review.

Like a lobster shell, security has layers — review code before you run it.

latestvk977jwpa3d3zvp22m9eewycsyd82cz98
2.4kdownloads
3stars
40versions
Updated 1mo ago
v2.4.1
MIT-0
@h8kxrfp68z-lgtm
latest
Download

iCalendar Sync

Use this skill to perform iCloud calendar CRUD operations from OpenClaw agents.

1. Prepare Credentials Securely

Use App-Specific Passwords only (never the primary Apple ID password).

Prefer keyring storage:

python -m icalendar_sync setup --username user@icloud.com

Use non-interactive setup for automation:

export ICLOUD_USERNAME="user@icloud.com"
export ICLOUD_APP_PASSWORD="xxxx-xxxx-xxxx-xxxx"
python -m icalendar_sync setup --non-interactive

Use file storage only when keyring is unavailable (headless or GUI-restricted runtime):

python -m icalendar_sync setup --non-interactive --storage file --config ~/.openclaw/icalendar-sync.yaml

2. Choose Provider Deliberately

  • --provider auto: macOS uses native bridge, non-macOS uses CalDAV.
  • --provider caldav: force direct iCloud CalDAV.
  • --provider macos-native: force Calendar.app bridge (macOS only).

For CalDAV diagnostics, add:

--debug-http --user-agent "your-agent/1.0"

3. Execute Calendar Operations

List calendars:

python -m icalendar_sync list

Get events:

python -m icalendar_sync get --calendar "Personal" --days 7

Create event:

python -m icalendar_sync create --calendar "Personal" --json '{
  "summary": "Meeting",
  "dtstart": "2026-02-15T14:00:00+03:00",
  "dtend": "2026-02-15T15:00:00+03:00"
}'

Update event (simple):

python -m icalendar_sync update --calendar "Personal" --uid "event-uid" --json '{"summary":"Updated title"}'

Update recurring event instance:

python -m icalendar_sync update \
  --calendar "Work" \
  --uid "series-uid" \
  --recurrence-id "2026-03-01T09:00:00+03:00" \
  --mode single \
  --json '{"summary":"One-off change"}'

Modes for recurring updates:

  • single: update one instance (use --recurrence-id)
  • all: update whole series
  • future: split series and update this+future (use --recurrence-id)

Delete event:

python -m icalendar_sync delete --calendar "Personal" --uid "event-uid"

4. Input Contract

For create, require at least:

  • summary (string)
  • dtstart (ISO datetime)
  • dtend (ISO datetime, must be later than dtstart)

Optional fields:

  • description
  • location
  • status
  • priority (0-9)
  • alarms
  • rrule

5. Safety Rules

  • Validate calendar names; reject path-like payloads.
  • Keep credential material out of logs/output.
  • Prefer keyring over file storage.
  • If file storage is used, enforce strict file permissions (0600).

6. Failure Handling

If CalDAV auth/network fails on macOS and provider is auto/caldav, switch to macos-native and retry the same operation.

If JSON payload is supplied as file path, ensure file size stays within safe limits before parsing.

Comments

Loading comments...