iCloud CalDav
v1.0.0Direct iCloud Calendar integration via CalDAV protocol. Create, read, update, and delete calendar events without third-party services. Use when the user want...
⭐ 0· 998·3 current·3 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (iCloud CalDAV) matches the behavior in SKILL.md and the included Python script: basic CalDAV operations against Apple servers using an Apple ID and an app-specific password are expected. However the registry metadata lists no required environment variables or primary credential, which contradicts SKILL.md and the code that expect APPLE_ID and APPLE_APP_PASSWORD.
Instruction Scope
SKILL.md instructs the agent/user to set APPLE_ID and APPLE_APP_PASSWORD in environment variables and run scripts/caldav.py; that is within expected scope. But SKILL.md also references a file (references/icloud-endpoints.md) that is not present in the package, and the runtime claims (e.g., "no credentials are logged or stored" and "All communication is HTTPS to caldav.icloud.com") are assertions you should verify by inspecting the full script. The presence of a substantial script file means the skill is not purely instruction-only; the agent will execute code packaged with the skill, so the instructions alone are not the entire surface.
Install Mechanism
There is no install spec (low friction), but the included Python script depends on third-party libraries (requests, icalendar). The script prints installation hints rather than installing dependencies itself. No network downloads or archive extraction metadata were provided, which reduces install risk; still, the packaged script will be executed by the agent when invoked.
Credentials
The SKILL.md and script legitimately require APPLE_ID and APPLE_APP_PASSWORD (app-specific password) — these are proportional to CalDAV access. However, the registry metadata does not declare these required environment variables or a primary credential, which is an incoherence that prevents automated systems and users from knowing what secrets will be needed or requested. That mismatch increases the risk of accidental credential exposure or misconfiguration.
Persistence & Privilege
The skill does not request permanent inclusion (always:false) and does not claim to modify other skills or global agent settings. There is no install script writing to system locations in the metadata. That said, the code is executed at runtime and could, if malicious, make arbitrary network calls — but nothing in the visible code indicates it attempts to persist beyond its own execution context.
What to consider before installing
What to consider before installing:
- The SKILL.md and the included Python script expect two secrets: APPLE_ID and APPLE_APP_PASSWORD (app-specific password). The registry metadata incorrectly lists no required env vars — treat that as a warning sign and do not supply credentials until you are confident about the code.
- Inspect the full scripts/caldav.py file before use (or request it from the author). Confirm there are no hardcoded or alternative network endpoints, no logging of credentials, and no unexpected file writes or subprocess calls. SKILL.md claims communication is only to caldav.icloud.com; verify by searching the script for other hostnames or IP addresses.
- The package references references/icloud-endpoints.md but that file is missing. Ask the publisher for the missing reference and for a verifiable source/homepage or code repository and prefer packages with an identified, reputable maintainer.
- Run the tool in an isolated environment (sandbox or throwaway VM) the first time, and use a revocable app-specific password for testing. When finished, revoke the app-specific password at appleid.apple.com if you have any doubt.
- If the author can update the registry metadata to declare APPLE_APP_PASSWORD as the primaryEnv and include the missing reference file (and provide a public code repository / homepage), that would increase confidence. If you cannot verify the code or author, prefer official Apple methods or well-known open-source CalDAV clients.Like a lobster shell, security has layers — review code before you run it.
latest
iCloud CalDAV — Direct Calendar Access
Manage iCloud Calendar directly via CalDAV protocol. No third-party services, no data leaves your machine except to Apple's servers.
When to Use
Activate when the user wants to:
- Check their calendar or upcoming events
- Create new calendar events
- Delete existing events
- List available calendars
Do NOT use for:
- Reminders (use
apple-remindersskill if available) - Contacts (CalDAV is calendar-only)
- Non-iCloud calendars (Google, Outlook, etc.)
Prerequisites
Required credentials:
APPLE_ID— Your Apple ID email addressAPPLE_APP_PASSWORD— An app-specific password (NOT your regular Apple ID password)
To generate app-specific password:
- Go to appleid.apple.com
- Sign in → Sign-In and Security → App-Specific Passwords
- Generate a new password
- Use this password (not your regular one)
Quick Start
# Set credentials
export APPLE_ID="your.email@icloud.com"
export APPLE_APP_PASSWORD="xxxx-xxxx-xxxx-xxxx"
# List calendars
./scripts/caldav.py list-calendars
# List events for next 7 days
./scripts/caldav.py list-events --days 7
# Create an event
./scripts/caldav.py create-event \
--title "Team Meeting" \
--start "2025-07-23T14:00:00" \
--duration 60 \
--calendar "Work"
Available Operations
| Operation | Command | Description |
|---|---|---|
| List calendars | list-calendars | Show all iCloud calendars |
| List events | list-events | Events in a date range |
| Create event | create-event | Add new calendar event |
| Delete event | delete-event | Remove event by filename or UID |
Workflow Patterns
Creating Events
# Basic event
./scripts/caldav.py create-event \
--title "Dentist Appointment" \
--start "2025-07-25T09:30:00" \
--duration 30
# With location and description
./scripts/caldav.py create-event \
--title "Project Review" \
--start "2025-07-26T14:00:00" \
--duration 60 \
--location "Conference Room B" \
--description "Q3 planning review" \
--calendar "Work"
# All-day event
./scripts/caldav.py create-event \
--title "Vacation" \
--start "2025-08-01" \
--all-day
Batch Operations
Note: CalDAV does not support native batch operations. To create multiple events, run the script multiple times:
# Create multiple events by running the command multiple times
./scripts/caldav.py create-event --title "Meeting 1" --start "2025-07-26T10:00:00" --duration 60
./scripts/caldav.py create-event --title "Meeting 2" --start "2025-07-26T14:00:00" --duration 60
./scripts/caldav.py create-event --title "Meeting 3" --start "2025-07-27T09:00:00" --duration 60
iCloud handles rapid sequential requests well, but there is no single API call for creating multiple events.
Deleting Events
# Delete by filename
./scripts/caldav.py delete-event \
--file "event-name.ics" \
--calendar "Calendar"
# Delete by UID (searches calendar for matching event)
./scripts/caldav.py delete-event \
--uid "openclaw-xxx@openclaw.local" \
--calendar "Calendar"
Warning: Deletions are permanent. iCloud may have its own backup, but standard CalDAV DELETE immediately removes the event.
Date/Time Formats
- ISO 8601:
2025-07-23T14:00:00(assumes local timezone if none specified) - With timezone:
2025-07-23T14:00:00+08:00 - All-day:
2025-07-23(date only)
Security Notes
- Credentials are read from environment variables only
- No credentials are logged or stored
- All communication is HTTPS to
caldav.icloud.com - App-specific passwords can be revoked anytime at appleid.apple.com
Error Handling
| Error | Cause | Solution |
|---|---|---|
| 401 Unauthorized | Bad credentials | Check APPLE_ID and APPLE_APP_PASSWORD |
| 404 Not Found | Calendar/event doesn't exist | List calendars/events first |
| 403 Forbidden | Read-only calendar | Try a different calendar |
| Timeout | Network issue | Retry the request |
References
- See
references/caldav-protocol.mdfor CalDAV implementation details - See
references/icloud-endpoints.mdfor iCloud-specific endpoints
Comments
Loading comments...