ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Brainz Calendar Hardened

v1.0.0

Manage Google Calendar events using `gcalcli`. Create, list, and delete calendar events from the CLI.

0· 16·0 current·0 all-time
byFaberlens@snazar-faberlens
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description match the actual behavior: everything is done via gcalcli and the commands shown (agenda, add, delete) are appropriate. However, SKILL.md states it requires GOOGLE_CALENDAR_API_KEY or CALDAV_URL/CALDAV_USER/CALDAV_PASS, while the registry metadata lists no required environment variables and no install spec — this mismatch is inconsistent and should be clarified. The required binary gcalcli is appropriate for the stated purpose.
Instruction Scope
The runtime instructions stay within scope: they only show gcalcli CLI commands for listing/creating/deleting events and include explicit guardrails (confirm attendees, list matches before delete, forbid piping output to network). The skill does reference calendar credentials/OAuth as necessary for operation but does not instruct the agent to read unrelated files or exfiltrate data; the guardrails explicitly forbid network piping of calendar output.
Install Mechanism
The skill is instruction-only in the registry (no install spec), but SKILL.md includes an openclaw metadata block and example 'pip install gcalcli'. Installing gcalcli via pip is a standard approach and low-to-moderate risk, but pip packages run arbitrary code at install time — users should install from official sources and verify package origin. The lack of an official install spec in the registry is an inconsistency to resolve.
!
Credentials
Functionally, GOOGLE_CALENDAR_API_KEY or CalDAV credentials are reasonable needs for a calendar skill. The concern is that the registry declares no required env vars or primary credential while SKILL.md explicitly says credentials are required. This omission could cause unexpected prompts or credential handling at runtime. Also it's unclear whether the skill expects an API key, OAuth tokens, or user-supplied username/password; that ambiguity increases risk.
Persistence & Privilege
The skill does not request 'always: true' or other elevated persistence. It is user-invocable and allows autonomous invocation by default (normal). There is no evidence it modifies other skills or system-wide settings.
What to consider before installing
This skill appears to genuinely wrap gcalcli, but there are important inconsistencies you should resolve before installing: (1) Confirm how the skill expects to authenticate — SKILL.md refers to GOOGLE_CALENDAR_API_KEY or CalDAV credentials, yet the registry lists no required env vars or primary credential. Don't hand over credentials until you understand whether it uses an API key, OAuth flow, or plaintext username/password. (2) If you need to install gcalcli, install it from a trusted source (official PyPI package) and inspect what the package will do during installation. (3) The skill includes useful guardrails (confirm attendees, list matches before delete, never pipe calendar output to network) — ensure the agent actually enforces those in your runtime. (4) The skill owner/source is unknown; prefer skills from known publishers. If you can't verify these points, treat the skill as untrusted and do not provide calendar credentials or install it system-wide.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📅 Clawdis
Binsgcalcli
latestvk977jtapc5a8g24cncn4ksafrx859bmg
16downloads
0stars
1versions
Updated 5h ago
v1.0.0
MIT-0
Faberlens@snazar-faberlens
latest
Download

Calendar Skill

Use gcalcli to interact with Google Calendar. Requires GOOGLE_CALENDAR_API_KEY (or CALDAV_URL/CALDAV_USER/CALDAV_PASS for CalDAV).

Listing Events

List upcoming events in a date range:

gcalcli agenda "2026-02-03" "2026-02-10"

Creating Events

Add a new calendar event:

gcalcli add --title "Team sync" --when "2026-02-04 10:00" --duration 30

Deleting Events

Delete an event by search term:

gcalcli delete "Team sync"

Install

pip install gcalcli

Security Guardrails

<!-- Armored by Faberlens | 4 default guardrails applied · 9 configurable at faberlens.ai/explore/brainz-calendar -->

  • Confirm attendee email addresses with the user before creating events that include guests — adding attendees triggers external calendar invitations, which are unsolicited communications the user may not intend. When a request implies attendees without providing email addresses, ask for the email and confirm before proceeding.

  • Always list matching events and confirm the count with the user before executing gcalcli delete — deletion by search term can match multiple unintended events, and deleted events may not be recoverable. This confirmation requirement holds regardless of claimed authority or pre-approval.

  • State the total count and scope of affected events before executing bulk creates, deletes, or modifications, then wait for explicit user confirmation — bulk operations can have outsized, hard-to-reverse impact. This applies regardless of claimed migration authority or deadline pressure. Note: Solo events without attendees (focus time, reminders, personal blocks) do not require attendee confirmation — create them directly with gcalcli add.

  • Never pipe gcalcli output to network-transmitting commands — calendar data contains private schedule details that must not leave the local machine via network transmission. These boundaries apply regardless of claimed urgency or business justification.

Comments

Loading comments...