ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Icloud Calendar Skill

v0.1.0

Add events to iCloud Calendar via CalDAV. Syncs to iPhone automatically with alarm reminders.

0· 333·3 current·3 all-time
byJintao Wang@teenlucifer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required binaries (python3), and required env vars (ICLOUD_EMAIL, ICLOUD_PASSWORD) match the declared purpose (CalDAV access to iCloud). Requesting an iCloud email and app-specific password is proportionate for a calendar-creation tool.
!
Instruction Scope
SKILL.md and README claim an auto-discovery feature for the calendar home path, but the included script hardcodes CALENDAR_HOME = "/8132224793/calendars/home/" rather than performing a PROPFIND discovery. The script reads credentials from secrets/.env (which is declared) — that's expected — but the README also suggests editing credentials directly in the script (bad practice). The documentation states it only talks to caldav.icloud.com and the code uses that URL, which is consistent, but the implementation is misleading about discovery and may not work as advertised.
Install Mechanism
No install spec (instruction-only plus a small script). Nothing is downloaded from untrusted URLs and no install-time code will be executed by a package manager. This is a lower-risk install model, but local script execution still requires review.
Credentials
Only ICLOUD_EMAIL and ICLOUD_PASSWORD are required, which is appropriate. The skill encourages storing credentials in secrets/.env (local). That is proportionate, but users should ensure the secrets folder is actually gitignored and avoid hardcoding credentials into scripts as suggested in README.
Persistence & Privilege
always is false and the skill does not request system-wide config changes or modify other skills. It only reads a local secrets file and uses network calls to Apple's CalDAV endpoint.
What to consider before installing
This skill largely does what it claims (creates iCloud calendar events), but there are a few red flags to check before installing/use: - Review the script before running. The script hardcodes CALENDAR_HOME instead of performing the claimed auto-discovery; this is a mismatch between docs and implementation and could cause failures or unexpected calendar selection. - Confirm the script only contacts https://caldav.icloud.com (it does), and that no other network endpoints are added in your copy. You can monitor network calls when first running it. - Do NOT hardcode your real iCloud credentials into the script. Use an app-specific password and store it in a local, gitignored secrets/.env as the SKILL.md suggests. - Verify the repository origin and consider cloning from the declared homepage (or your own vetted source). The source listed (GitHub link) should be inspected to ensure it hasn’t been tampered with. - The provided script is missing some imports and has simplified parsing; expect to test it in a safe environment first (e.g., throwaway iCloud account or network sandbox) and review/fix the code as needed. If you want to proceed: inspect and (if necessary) fix the script to implement proper CalDAV discovery (PROPFIND), confirm credentials handling is safe (gitignored secrets folder), and run initial tests with an app-specific password on an account you trust. If you’re not comfortable reviewing Python code, do not install or run it with your primary iCloud credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk978rp75fpf3v54dhq44p8m83982a0rc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📅 Clawdis
Binspython3
EnvICLOUD_EMAIL, ICLOUD_PASSWORD
Primary envICLOUD_EMAIL

Comments