Email To Calendar
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its email-to-calendar purpose, but it also sets up persistent email monitoring and auto-archiving behavior that should be reviewed before installation.
Before installing, confirm you are comfortable granting Gmail and Calendar access, having processed emails marked read or archived, and allowing any persistent HEARTBEAT.md email-check workflow. If you only want forwarded-email processing, disable direct inbox monitoring, auto-archive behavior, and heartbeat integration.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After first use, the agent may continue checking email and modifying inbox state in later cycles unless the user notices and disables the heartbeat integration.
This creates persistent agent instructions to keep scanning email and auto-archiving calendar notifications during future heartbeat cycles, rather than limiting behavior to the current user request.
If the following sections are not present in HEARTBEAT.md, add them: ... During email check cycle ... Run `~/.openclaw/workspace/skills/email-to-calendar/scripts/process_calendar_replies.sh` to auto-archive them
Require explicit user opt-in before editing HEARTBEAT.md, provide a clear disable/uninstall path, and default to user-invoked processing unless the user intentionally enables ongoing monitoring.
Incorrect extraction or agent action could create, update, or delete calendar entries, or process the wrong email.
The skill relies on tools that can read private email and mutate calendar data. This is expected for the stated purpose, but it is high-impact authority.
Verify the agent can: - Read emails ... - Create calendar events - Update/delete calendar events
Review extracted events before approving calendar changes, keep the 'always ask before creating' rule enabled, and avoid granting broader tool access than needed.
The skill can act through the selected Gmail and Calendar account, including reading messages and changing calendar data.
The skill uses existing Gmail/Google Calendar account authorization through gog. This is purpose-aligned, but the user should understand which account and calendar are being delegated.
Detect your Gmail accounts via `gog auth status` ... List available calendars via `gog calendar list`
Use the least-privileged account practical, verify the configured `gmail_account` and `calendar_id`, and revoke gog access if you stop using the skill.
Details from emails and calendar events may remain stored locally and be reused in later sessions.
The skill persists email-derived event data, pending invite state, activity logs, and changelogs in local OpenClaw memory for later review and undo support.
`~/.openclaw/workspace/memory/email-to-calendar/` - For pending_invites.json, events.json, activity.json, changelog.json
Review and delete the memory files if they contain sensitive email content, and avoid processing highly confidential messages unless local retention is acceptable.
Users have less external context for verifying the publisher, release history, or full code provenance.
The registry metadata does not provide a source repository or homepage for independent provenance review.
Source: unknown; Homepage: none
Install only if you trust the publisher, and prefer versions with a public source link or independently reviewable provenance.