Back to skill
Skillv1.0.2
ClawScan security
Google Calendar Update Event · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 27, 2026, 4:15 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions are internally consistent for updating a Google Calendar event via the gog CLI, but it implicitly depends on the user's gog authentication/configuration which is not explicitly documented.
- Guidance
- This skill will run the local 'gog calendar update' command to modify events. Before installing, verify you trust the agent and that the gog CLI is installed and intentionally authenticated to the Google account you expect (gog stores credentials/config outside the skill). Consider: (1) testing with a non-critical calendar/event first, (2) verifying the gog config path and scopes the CLI has access to, and (3) restricting agent permissions or making the skill user-invocable only if you want explicit consent before each calendar change.
Review Dimensions
- Purpose & Capability
- okName, description, and runtime instructions all describe updating a Google Calendar event using the gog CLI; the only declared runtime requirement is the gog binary, which matches the stated purpose.
- Instruction Scope
- noteSKILL.md instructs a single atomic CLI call (gog calendar update ...) and does not request reading other files or unrelated environment variables. However, it does not mention that the gog CLI must be authenticated/authorized to access Google Calendar, which is an important implicit precondition.
- Install Mechanism
- okInstruction-only skill with no install spec or downloads; lowest-risk installation footprint (nothing written to disk by the skill itself).
- Credentials
- noteThe skill declares no environment variables or credentials. This is reasonable because the gog CLI likely uses the user's existing auth/config. Still, the lack of any explicit mention of required OAuth credentials or config paths means users might be surprised that the agent can perform calendar changes if gog is already authenticated.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it does not request permanent inclusion or modify other skills. Autonomous invocation is allowed by default but not a special privilege here.