Cal Com Automation
PassAudited by ClawScan on May 10, 2026.
Overview
No malicious behavior is evident; this is a Cal.com/Rube automation guide, but it can let an agent change bookings, webhooks, and teams through a connected account.
This skill appears coherent and purpose-aligned. Before installing, make sure you trust Rube/Composio, connect only the intended Cal.com account, and require explicit approval for booking creation, webhook changes, webhook deletion, and team creation.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could create appointments or change webhook/team settings in the connected Cal.com account.
These tools can mutate Cal.com account data. They are disclosed and aligned with the skill's purpose, but they are higher-impact actions if invoked with incorrect parameters.
`CAL_POST_NEW_BOOKING_REQUEST` - Create a new booking [Optional] ... `CAL_UPDATE_WEBHOOK_BY_ID` - Update webhook configuration [Optional] ... `CAL_DELETE_WEBHOOK_BY_ID` - Remove a webhook [Optional] ... `CAL_CREATE_TEAM_IN_ORGANIZATION` - Create a new team [Optional]
Require clear user confirmation before creating bookings, updating or deleting webhooks, or creating teams; review target IDs, times, URLs, and team names before execution.
The connected account's permissions determine what the agent can view or change, including potentially organization-level team operations.
The skill requires delegated access to a Cal.com account through Rube. That access is expected for the integration, but it gives the agent account-level authority.
Active Cal.com connection via `RUBE_MANAGE_CONNECTIONS` with toolkit `cal` ... If connection is not ACTIVE, follow the returned auth link to complete Cal.com authentication
Connect only the intended Cal.com account, prefer least-privileged access where available, and revoke the Rube/Cal.com connection when no longer needed.
Scheduling data, webhook details, and account actions may pass through Rube/Composio as part of normal operation.
Cal.com actions and related data are routed through a third-party MCP provider. This is the core design of the skill, but it introduces an external service boundary.
Add `https://rube.app/mcp` as an MCP server in your client configuration
Use this skill only if you trust the Rube MCP provider and are comfortable routing Cal.com automation through that service.