iCloud Reminders
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: icloud-reminders Version: 0.1.6 The skill bundle provides instructions and metadata for managing Apple iCloud Reminders using a Go-based CLI tool. It facilitates standard CRUD operations and handles authentication via environment variables or local configuration files (~/.config/icloud-reminders/). While the tool handles sensitive iCloud credentials and session tokens, its behavior is transparently documented and aligned with its stated purpose, with no evidence of malicious intent, data exfiltration, or prompt injection in SKILL.md or _meta.json.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or anything with access to the credentials or session file may be able to act on the user’s iCloud Reminders account.
The skill requires Apple/iCloud account authentication and stores a reusable session, which is expected for an iCloud Reminders integration but grants sensitive account access.
Credentials are resolved in this order: 1. `ICLOUD_USERNAME` / `ICLOUD_PASSWORD` environment variables 2. `~/.config/icloud-reminders/credentials` file ... 3. Interactive prompt ... Session file (`~/.config/icloud-reminders/session.json`) is created automatically and reused.
Authenticate only if you trust the installed CLI, avoid leaving passwords in environment variables or plaintext files when possible, and protect the session file.
A mistaken or overly broad request could complete, edit, or delete reminders in the user’s iCloud account.
The skill exposes commands that mutate or delete reminders. These actions are purpose-aligned, but an agent should use them only when the user clearly intends the change.
`reminders edit abc123 --title "New title"` ... `reminders complete abc123` ... `reminders delete abc123`
Ask for confirmation before destructive actions such as deletion, and use specific reminder IDs or list names to avoid accidental changes.
The installed third-party CLI will handle iCloud credentials and sessions, so its provenance matters.
The skill depends on an external Homebrew-installed binary. This is normal for a CLI-based skill, but the binary’s source code was not included in the artifact set reviewed here.
brew | formula: icloud-reminders | creates binaries: reminders
Install only from a trusted Homebrew tap/source and review the linked project before authenticating.
Sharing an exported session archive could let another person or system access the iCloud Reminders session without the Apple ID password.
The documentation discloses that session cookies can be exported, but the phrase 'share without password' could cause users to underestimate that the archive may still grant account access.
# Export session cookies (share without password) reminders export-session session.tar.gz
Treat exported session archives like credentials; do not share them unless you intend to delegate access, and delete them when no longer needed.