ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

iCloud Calendar

v1.4.0

Manage your iCloud calendars via natural language to create, query, update, and delete events synced to your iPhone calendar using CalDAV.

0· 3·0 current·0 all-time
by@rickhuang28
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description match its code: it uses CalDAV via a Python script to create/query/update/delete iCloud calendar events. However registry metadata claims no required environment variables or credentials while SKILL.md and CONFIG.md clearly require ICLOUD_EMAIL and ICLOUD_APP_PASSWORD — a mismatch between declared metadata and what the skill actually needs.
!
Instruction Scope
SKILL.md instructs the agent to run the included Python script passing iCloud credentials and various flags. The instructions also explicitly say it will perform modifications and deletions directly ("直接修改/删除,不重复确认"). The skill writes operation logs to logs/calendar.log containing event details. These behaviors are within the calendar-management purpose but are potentially risky (silent destructive actions, local storage of sensitive calendar data).
Install Mechanism
There is no install spec (instruction-only), which reduces installer risk. The code requires Python and the third-party python-caldav library (pip install caldav) per CONFIG.md. That is expected for CalDAV access; no unusual remote download URLs or extract operations are present in the manifest.
!
Credentials
The skill legitimately needs ICLOUD_EMAIL and an iCloud app-specific password to access calendars. However the registry metadata does not list these required env vars while SKILL.md/CONFIG.md do — this inconsistency is concerning. Also storing the app-specific password in OpenClaw configuration means the skill will have persistent credential access; logs may include event details (sensitive personal data).
Persistence & Privilege
always:false (good). The skill can be invoked autonomously (default behavior) — normal for skills — but combined with the explicit instruction to modify/delete without reconfirmation, autonomous invocation increases risk of unintended destructive changes. The skill writes its own logs in logs/calendar.log but does not appear to alter other skills or system-wide configs.
What to consider before installing
What to check before installing: - Metadata mismatch: The registry says 'no required env vars' but SKILL.md/CONFIG.md require ICLOUD_EMAIL and ICLOUD_APP_PASSWORD. Confirm the registry entry matches runtime requirements — don't supply credentials until you're confident. - Credential scope: Only use an iCloud app-specific password (not your main Apple ID password) and consider creating a dedicated iCloud account for the skill if you want to limit blast radius. - Logs and sensitive data: The skill writes operations to logs/calendar.log inside the skill tree. Those logs will contain event summaries/times/locations and could be sensitive. Ensure file permissions and retention meet your privacy needs, or modify the code to avoid logging sensitive fields. - Destructive behavior: The SKILL.md explicitly states it will modify/delete events without asking for repeated confirmation. If you allow autonomous invocation, this can lead to undesired changes. Options: disable autonomous invocation for this skill, require explicit user confirmation before delete/update, or modify the script to require a confirm flag for destructive operations. - Dependency install: The script uses python-caldav. Review the caldav library version you will install and preferably install it in an isolated virtualenv. - Code review: The provided script appears to build iCal data, search calendars, and log actions; the prompt truncated the tail of the file. Review the full script to confirm it does not transmit data to unexpected external endpoints or log credentials. Specifically check how caldav.DAVClient is constructed and what URL it connects to (it should be iCloud's CalDAV endpoints), and verify it does not include any hard-coded external upload/exfil endpoints. If you cannot review the full code, consider running the skill in a sandboxed environment and using a disposable/dedicated iCloud account until you are satisfied it behaves as described.

Like a lobster shell, security has layers — review code before you run it.

latestvk97db07qrjdt4e2cwffjp5atcd84023b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

iCloud Calendar — Full CRUD via Natural Language

Manage your iCloud calendar (synced to iPhone) through natural language. Create, query, update, and delete events via CalDAV.

解析规则

从消息中提取字段,未提及的按推断规则补全。

1. 标题 (summary)

从消息中提取事件核心,去掉时间词和口癖:

  • "下周三下午3点和张总开会" → "和张总开会"
  • "明天记得交报告" → "交报告"
  • "周五晚上聚餐" → "聚餐"

2. 开始时间 (start)

必填。相对日期→绝对日期计算(Asia/Shanghai):

  • 今天/明天/后天/大后天 → 对应日期
  • 下周一~下周日 → 下周对应星期几
  • 时间:"下午3点"→15:00 "上午九点半"→09:30 "晚上8点"→20:00
  • 无具体时间 → 默认 09:00

3. 结束时间 (end)

永远不问用户,按事件类型推断时长:

  • 会议/汇报/评审/面试 → 1小时
  • 聚餐/饭局/火锅/吃饭 → 2小时
  • 运动/健身/游泳/打球 → 1.5小时
  • 电影 → 2.5小时
  • 培训/课程/讲座 → 2小时
  • 飞机/高铁/火车 → 3小时(暂定,后期可查航班)
  • 全天 → 00:00~23:59
  • 兜底 → 1小时
  • 用户说了结束时间 → 用用户的

4. 日历选择 (calendar)

按事件性质自动选:

  • 含"开会/汇报/评审/客户/项目/出差/面试"关键词 → 工作
  • 其他 → 个人

可用日历:个人、工作

5. 地点 (location)

提及则提取:"在301会议室"→"301会议室" "去北京出差"→"北京" 未提及 → 空

6. 提醒 (alarm)

  • 用户说"提醒我" → 开始前15分钟
  • 用户说具体时间"提前10分钟" → 用指定时间
  • 未提及 → 开始前15分钟(默认)

7. 备注 (description)

收集额外信息:参与者、特殊要求等。"和张总一起" → 备注写"参与者:张总"

执行(创建事件)

python {baseDir}/scripts/add-event.py \
    --email "$ICLOUD_EMAIL" \
    --password "$ICLOUD_APP_PASSWORD" \
    --summary "标题" \
    --start "2026-04-08T15:00:00" \
    --end "2026-04-08T16:00:00" \
    --timezone "Asia/Shanghai" \
    --location "" \
    --calendar "个人" \
    --description "" \
    --alarm-minutes 15

环境变量:ICLOUD_EMAIL, ICLOUD_APP_PASSWORD(通过 skills.entries.calendar-add.env 配置)

查询(反向查日历)

用户问"我明天有什么安排""这周日程""4月8号有什么"时:

python {baseDir}/scripts/add-event.py \
    --email "$ICLOUD_EMAIL" \
    --password "$ICLOUD_APP_PASSWORD" \
    --query "today|tomorrow|week|nextweek|YYYY-MM-DD|YYYY-MM-DD~YYYY-MM-DD"

query 值:

  • today / tomorrow / week / nextweek
  • 单日:2026-04-08
  • 范围:2026-04-01~2026-04-30

查询结果整理为简洁列表回复用户。

回复格式

创建成功:

📅 已记录:和张总开会
🕐 4月8日 周三 15:00-16:00(工作日历)
📍 301会议室

查询结果:

📅 明天(4月2日)有 3 个安排:
1. 10:00-11:00 日历功能测试(个人)
2. 14:00-15:00 项目评审(工作)
3. 全天  ios退款请加扣扣群...(工作)

失败:

❌ 写入失败:{原因}

删除(按关键词)

用户说"删掉xxx相关的""删除垃圾事件"时,用 --delete 按关键词匹配 summary 和 location:

python {baseDir}/scripts/add-event.py \
    --email "$ICLOUD_EMAIL" \
    --password "$ICLOUD_APP_PASSWORD" \
    --delete "关键词" \
    [--delete-start "2026-01-01"] \
    [--delete-end "2026-12-31"]
  • --delete:必填,关键词(模糊匹配,不区分大小写)
  • --delete-start / --delete-end:可选,限定搜索范围,默认搜索所有日期
  • 返回 {"deleted": [...], "count": N}

搜索日程(按关键词)

用户说"我下周有和张总的安排吗""查一下开会的日程"时,用 --search 按关键词搜索 summary 和 location:

python {baseDir}/scripts/add-event.py \
    --email "$ICLOUD_EMAIL" \
    --password "$ICLOUD_APP_PASSWORD" \
    --search "关键词" \
    [--search-range "2026-04-01~2026-04-30"]
  • --search:必填,关键词(模糊匹配,不区分大小写)
  • --search-range:可选,限定日期范围,不传则搜索所有日期
  • 返回 {"events": [...], "count": N, "keyword": "关键词"}

修改事件

用户说"改到4点""换到工作日历""地点改成301"时,用 --update-find 定位事件 + --update-set-* 修改字段:

python {baseDir}/scripts/add-event.py \
    --email "$ICLOUD_EMAIL" \
    --password "$ICLOUD_APP_PASSWORD" \
    --update-find "关键词" \
    [--update-set-summary "新标题"] \
    [--update-set-start "2026-04-08T16:00:00"] \
    [--update-set-end "2026-04-08T17:00:00"] \
    [--update-set-location "新地点"] \
    [--update-set-calendar "工作"] \
    [--update-start "2026-04-01"] \
    [--update-end "2026-04-30"]
  • --update-find:必填,按关键词匹配 summary(不区分大小写)
  • --update-set-*:要修改的字段,不传的保持不变
  • --update-set-location "__CLEAR__":清除地点
  • --update-set-calendar:移到另一个日历(个人/工作)
  • --update-start / --update-end:限定搜索范围
  • 匹配到多个事件时会报错并列出所有匹配项,让用户更精确指定
  • 返回 {"updated": true, "changes": {...}}

重复事件(RRULE)

用户说"每周一开会""每天9点站会""每两周review一次"时,用 --rrule 添加 iCal 重复规则:

python {baseDir}/scripts/add-event.py \
    --email "$ICLOUD_EMAIL" \
    --password "$ICLOUD_APP_PASSWORD" \
    --summary "每周例会" \
    --start "2026-04-07T09:00:00" \
    --end "2026-04-07T10:00:00" \
    --rrule "FREQ=WEEKLY;BYDAY=MO"

常用 RRULE 模式:

  • 每天:FREQ=DAILY
  • 每周一三五:FREQ=WEEKLY;BYDAY=MO,WE,FR
  • 每两周周五:FREQ=WEEKLY;INTERVAL=2;BYDAY=FR
  • 每月1号:FREQ=MONTHLY;BYMONTHDAY=1
  • 限次(10次):FREQ=WEEKLY;BYDAY=MO;COUNT=10
  • 限日期:FREQ=WEEKLY;BYDAY=MO;UNTIL=20260630T000000Z

操作日志

所有操作自动记录到 logs/calendar.log,格式:

[2026-04-01 21:00:00] CREATE | 每周例会 | 2026-04-07T09:00:00 | 工作
[2026-04-01 21:01:00] QUERY | range=week | found=4
[2026-04-01 21:02:00] DELETE | keyword=广告 | deleted=3

修正

用户说"改成4点""换到工作日历""取消"→ 直接修改/删除,不重复确认。

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…