ClawHub

Apple Cal Anywhere

v1.3.1

Your Apple Calendar, on any platform. iCloud Calendar skill via CalDAV (RFC 4791) — works on macOS/Linux, and Windows with env/keyring auth. Supports event C...

0· 331·0 current·0 all-time
byXushen@xushen-ma
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, CLI, and code all implement CalDAV calendar operations and managed attachments. Requested binary (python3) and required environment variable (APPLECAL_PASSWORD) are expected and necessary for iCloud CalDAV access.
Instruction Scope
Runtime instructions and code read APPLECAL_PASSWORD (or keyring/macOS Keychain) and connect to caldav.icloud.com; they also allow uploading local files as RFC-8607 managed attachments. Attachment handling includes extension allowlist and sensitive-path/name blocking, and an optional APPLECAL_ATTACH_DIR scoping feature. Note: the skill will read local files only when you explicitly use attach commands; otherwise it performs normal calendar API operations. There is a minor code-quality oddity in the truncated source (a likely erroneous 'return r' near keychain handling) — this looks like a bug, not malicious behavior, but you may want to inspect the full file.
Install Mechanism
No install spec is provided (instruction-only install), and the code expects only standard Python plus the 'requests' library (and optional 'keyring'). This is low-risk compared with arbitrary remote downloads. The README instructs pip install requests (and optional keyring).
Credentials
Only APPLECAL_PASSWORD is declared and used as the primary credential. The skill optionally consults local keyring or macOS Keychain as documented. No unrelated credentials, cloud provider keys, or broad system config paths are requested.
Persistence & Privilege
The skill is not always-enabled, does not request persistent system-level privileges in metadata, and does not declare writes to other skills or system configuration. It uses local keyring/keychain only for credential retrieval, which is appropriate for its purpose.
Assessment
This skill appears to do what it says: connect to iCloud CalDAV and manage events and attachments. Before installing, consider: 1) You must provide an app-specific Apple password (APPLECAL_PASSWORD) or store it in your keyring/Keychain — prefer keyring or macOS Keychain over putting secrets in shell profiles if you are on a shared machine or CI. 2) The attach/add command uploads files from your machine to iCloud; by default the script enforces an extension allowlist and blocks common sensitive paths/names, and you can further restrict uploads by setting APPLECAL_ATTACH_DIR to a specific folder. Review the attachment allowlist and sensitive-path patterns in scripts/applecal.py to ensure they match your expectations. 3) The tool invokes the macOS 'security' command when falling back to Keychain — this is expected for macOS credential retrieval. 4) The code is bundled in the skill; if you distrust the source, inspect scripts/applecal.py in full before running. 5) Run the provided 'doctor' and tests in an isolated environment (or sandbox) first, and avoid placing the app-specific password in shared CI environments. Overall the skill is coherent with its purpose; the remaining risks are operational (credential handling and file uploads), not indicators of misdirection.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binspython3
EnvAPPLECAL_PASSWORD
Primary envAPPLECAL_PASSWORD
latestvk97cg3myx32zt2jsc7jqwyjxnx83tg2z
331downloads
0stars
2versions
Updated 3w ago
v1.3.1
MIT-0
Xushen@xushen-ma
latest
Download

apple-cal-anywhere

Advanced Apple Calendar integration using CalDAV (RFC 4791) and Managed Attachments (RFC 8607).

Primary CLI

scripts/applecal.py

Capabilities

  • Event CRUD: List, Create, Update, Delete.
  • Multi-Calendar Support: Query multiple calendars in a single command.
  • True Attachments: RFC 8607 compatible (works on iPhone/iPad).
  • Free/Busy: CalDAV scheduling lookup with event-derived fallback.

Common Commands

List Events (Combined)

Check multiple calendars at once:

python3 scripts/applecal.py events list \
  --apple-id your@icloud.com \
  --calendar Family \
  --calendar Work \
  --from "2026-02-26T00:00:00Z" \
  --to "2026-02-26T23:59:59Z"

Create All-Day Event

python3 scripts/applecal.py events create \
  --apple-id your@icloud.com \
  --calendar Family \
  --summary "Birthday" \
  --start "2026-02-26" \
  --end "2026-02-26" \
  --all-day

Attach a File (iPhone Safe)

python3 scripts/applecal.py attach add \
  --apple-id your@icloud.com \
  --calendar Family \
  --uid <UID> \
  --file /path/to/document.pdf

Free/Busy Check

python3 scripts/applecal.py freebusy \
  --apple-id your@icloud.com \
  --calendar Family \
  --from "2026-02-26T00:00:00Z" \
  --to "2026-02-26T23:59:59Z"

Notes

  • Birthdays: The virtual "Birthdays" calendar is not searchable via CalDAV. Key birthdays should be added as physical recurring events in the Family calendar for agent visibility.
  • Auth: Resolution order is APPLECAL_PASSWORD → Python keyring (if installed/configured) → macOS Keychain fallback. Run doctor to verify connectivity.
  • Event update clearing: Use events update --clear-location / --clear-description to explicitly remove optional fields.
  • Attachment safety: attach add blocks sensitive paths/names, allowlists file extensions, and supports optional directory scoping via APPLECAL_ATTACH_DIR.
  • Apple ID: Always pass --apple-id your@icloud.com (the iCloud account email, not necessarily your Apple ID login).

Comments

Loading comments...