ClawHub

Icloud Calendar Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly aligned with adding iCloud calendar events, but it has an under-disclosed code path that attempts to create a test calendar event when run without enough arguments.

Review the script before installing. It appears intended to send calendar events only to Apple's iCloud CalDAV service, but remove or avoid the demo auto-add behavior and configure credentials through environment variables or a private local secrets file rather than hard-coding them.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Medium
What this means

A user or agent invoking the script incorrectly could create an unwanted calendar event that syncs to iCloud devices.

Why it was flagged

When the script is run with too few arguments, it attempts to create a default test event using the configured iCloud credentials instead of only printing usage or failing safely. This account mutation is not described in the SKILL.md usage section.

Skill content
if len(sys.argv) < 3:
        print(__doc__)
        print("\nQuick demo - adding test event:")
        ...
        add_event_to_icloud(
            "测试日程 - Test Event",
Recommendation

Remove the automatic demo event path, or make it a separate explicit command requiring user confirmation and clearly documented arguments.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Anyone with access to the configured app-specific password may be able to create calendar events in the linked iCloud account.

Why it was flagged

The skill requires iCloud credentials and sends them to Apple's CalDAV endpoint, which is expected for the stated purpose but is sensitive account access.

Skill content
requires:
      env: ["ICLOUD_EMAIL", "ICLOUD_PASSWORD"]
...
`https://caldav.icloud.com` | iCloud email + App-Specific Password (Base64 auth), Event data (.ics) | Create calendar events
Recommendation

Use an Apple app-specific password, keep it out of shared files, and revoke it from your Apple ID settings if you stop using the skill.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Users could accidentally store or share their iCloud app password in a code file.

Why it was flagged

The README suggests hard-coding credentials into the script, while SKILL.md describes using a local secrets/.env file. Hard-coding secrets in source files increases the chance of accidental sharing.

Skill content
Edit `scripts/add_event.py` and replace the credentials:

```python
ICLOUD_EMAIL = "your-email@icloud.com"
ICLOUD_PASSWORD = "your-app-specific-password"
```
Recommendation

Prefer environment variables or a local ignored secrets file, and avoid editing source files to include credentials.