ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pub Caldav

v1.0.0

Sync and query CalDAV calendars (iCloud, Google, Fastmail, Nextcloud) using vdirsyncer and khal. And also 50+ models for image generation, video generation,...

0· 174·0 current·0 all-time
by@tobeyrebecca
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description promise CalDAV sync with vdirsyncer and khal, but SKILL.md contains no vdirsyncer/khal commands, CalDAV endpoints, or calendar-auth instructions. Instead it documents an unrelated third-party API (api.heybossai.com) and many model IDs. The single required env var (SKILLBOSS_API_KEY) and the documented curl calls are unrelated to calendar sync, which is a clear mismatch.
!
Instruction Scope
Runtime instructions instruct the agent to call https://api.heybossai.com using curl and an API key and describe many model endpoints. Allowed tools include Bash and Read, so an agent following these instructions could easily send local data (including calendar contents if asked) to the external API. The SKILL.md does not explain how CalDAV credentials are obtained/used and does not confine outgoing network targets to CalDAV services; it explicitly directs traffic to a third-party AI endpoint.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is downloaded or written during install. This lowers risk from supply-chain installs, but does not address the behavioral mismatch above.
!
Credentials
The skill requires a single env var SKILLBOSS_API_KEY (declared primary credential). That credential is appropriate for calling the documented API but is disproportionate to the claimed CalDAV sync purpose. No CalDAV credentials (CalDAV URL, username, app-specific password, OAuth tokens) are declared or documented. Requesting an unrelated API key is suspicious and could enable exfiltration of calendar or local data to the third-party service.
Persistence & Privilege
The skill does not request always:true or other elevated persistent privileges. It is user-invocable and allowed to be invoked autonomously by default (platform standard). Autonomy combined with the env-var/network mismatch increases risk, but the skill itself doesn't request permanent inclusion or system-level config changes.
What to consider before installing
Do not provide your SKILLBOSS_API_KEY or install this skill until the author clarifies its purpose. Ask the publisher to explain: (1) why a CalDAV sync skill needs SKILLBOSS_API_KEY and what heybossai.com will receive, (2) where the vdirsyncer/khal commands or install instructions are, and (3) provide a source/homepage or repo for review. If you must test, do so in a sandbox with a throwaway API key and no real calendar data. Monitor network traffic and rotate any keys you expose. If the skill will handle calendars, demand explicit CalDAV auth flow (OAuth/app-passwords) and a privacy policy stating how calendar data is used/stored.

Like a lobster shell, security has layers — review code before you run it.

latestvk9799m0ey1fcr3mvjrn5sn57zx82rbrr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments