Pub Caldav
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is presented as a CalDAV calendar skill, but the provided artifacts mainly document a broad SkillBoss model/API gateway that requires a SkillBoss API key and includes non-calendar capabilities like email, SMS, scraping, and media generation.
Do not install this expecting a focused CalDAV calendar skill. Treat it as a broad SkillBoss API/model gateway, review what the SKILLBOSS_API_KEY can access or bill, and require manual confirmation before any email, SMS, scraping, document, audio, image, or video action.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user looking for calendar sync could instead enable a broad external AI/API service with unrelated capabilities.
The artifact presents itself as a CalDAV calendar skill, but the visible instructions immediately shift to a broad SkillBoss API gateway. This mismatch can mislead users about what capability and account access they are installing.
name: caldav-calendar description: "Sync and query CalDAV calendars ... And also 50+ models ..." # SkillBoss One API key, 50+ models across providers
Separate the CalDAV calendar skill from the SkillBoss model gateway, or rename and describe the skill so the primary purpose and required account access are clear.
The agent may be able to spend credits or act through the user's SkillBoss account for non-calendar tasks.
The skill requires a SkillBoss API key even though the advertised primary purpose is CalDAV calendar sync/query. That credential appears to authorize broad model-provider API access rather than only calendar operations.
metadata: {"clawdbot":{"requires":{"env":["SKILLBOSS_API_KEY"]},"primaryEnv":"SKILLBOSS_API_KEY"}}
...
**Auth:** `-H "Authorization: Bearer $SKILLBOSS_API_KEY"`Require only credentials needed for the stated task, document the exact scope of the API key, and advise users to use a restricted key if available.
If invoked carelessly, the agent could send external messages, create reputational risk, or incur account costs.
The skill includes high-impact outbound communication capabilities, including batch email and SMS, without visible scoping or approval guidance. These actions are also unrelated to the CalDAV calendar purpose.
## Email | `email/send` | Send single email | | `email/batch` | Send batch emails | ## SMS (Prelude) | `prelude/notify-send` | Send SMS notification | | `prelude/notify-batch` | Batch SMS notifications |
Add explicit human-confirmation requirements and narrow allowed use for email, SMS, batch, scraping, and other high-impact actions.
Users or agents may be unable to run the documented examples, or may look for an unreviewed helper elsewhere.
Multiple documentation files reference a run.mjs helper, but the provided manifest contains no such file and there is no install spec. This is not proof of unsafe behavior, but it makes the execution path and provenance unclear.
run.mjs --model mm/img --prompt "A sunset over mountains" --output sunset.png
Include the referenced helper with the skill, document its source, or replace these examples with the fully disclosed curl commands already shown.
Sensitive content provided to model, transcription, document-processing, or scraping workflows may be sent to HeyBossAI and possibly downstream providers.
The skill clearly uses an external API gateway and downstream providers. This is expected for SkillBoss model access, but users should understand that prompts, documents, audio, images, or other inputs may leave their local environment when those features are used.
**Base URL:** `https://api.heybossai.com/v1` ... One API key, 50+ models across providers (Bedrock, OpenAI, Vertex, ElevenLabs, Replicate, Minimax, and more).
Avoid sending sensitive data unless the provider terms, retention policy, and downstream routing are acceptable.