Weekly Planner
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: weekly-planner Version: 1.0.0 The skill is generally well-designed and includes several safety mechanisms, such as dry-run modes and explicit write-enabled flags for calendar synchronization. The `SKILL.md` instructions are clear and do not contain obvious prompt injection attempts. However, the `scripts/init_planner.py` script is classified as suspicious due to its use of `shutil.rmtree(target_dir)` on a user-controlled `--target` path, especially when combined with the `--force` flag. While the script warns that `--force` is 'DANGEROUS', an agent could be prompted to provide a malicious target path (e.g., `--target / --force`), potentially leading to significant data loss or system disruption. This represents a high-impact vulnerability rather than intentional malice.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user enables sync, the skill can create, update, or delete managed events on the configured planner calendar.
The skill can invoke an external calendar CLI to make Google Calendar changes, but the documented defaults require an explicit apply flag and a config safety latch.
Sync planner week TOML -> Google Calendar (via gog). ... Default is dry-run; use --apply to make changes. ... requires calendar.write_enabled = true
Use dry-run first, validate the week file, keep write_enabled false until ready, and use a dedicated Planner calendar rather than a primary calendar.
Calendar changes will be made with the permissions of the user’s configured Google Calendar account.
Direct Google Calendar sync depends on an authenticated gogcli setup, so calendar access occurs under the Google account configured for that tool.
Optional: gog (steipete/gogcli) for direct Google Calendar sync; otherwise export .ics.
Confirm which Google account gogcli uses, limit sync to a dedicated planner calendar, and avoid granting broader calendar access than needed.
Private planning details may remain in the workspace and be readable by future agents, tools, or anyone with access to those files.
The skill intentionally stores personal tasks, goals, schedules, and reviews as persistent local plain-text files.
A lightweight, file-based weekly planner that lives in a workspace folder as plain text (.toml). It supports: Inbox capture ... Weekly plans ... an end-of-week review
Keep the planner in a private workspace, avoid putting secrets or highly sensitive details in planner notes, and review files before sharing or syncing them.