Safety Report

Calendar

Name: Calendar
Author: Xejrax

@Xejrax

Manage Google Calendar events using `gcalcli`. Create, list, and delete calendar events from the CLI.

1,669Downloads

5Installs

0Stars

1Versions

CLI & Shell Tools4,287 Calendar & Scheduling3,358

Security Analysis

medium confidence

Suspicious0.08 risk

The skill's stated purpose (using gcalcli to manage calendars) is reasonable, but its runtime instructions reference sensitive credentials (Google API key or CalDAV user/password) that are not declared in the skill metadata — an inconsistency that should be resolved before trusting it.

Feb 11, 20262 files4 concerns

Purpose & Capabilitynote

Name/description match the actual behavior (gcalcli CLI calls). Requiring the gcalcli binary and providing a pip install for gcalcli is proportionate to the stated purpose. However, the SKILL.md mentions needing GOOGLE_CALENDAR_API_KEY or CALDAV_URL/CALDAV_USER/CALDAV_PASS while the skill metadata lists no required environment variables or credentials — this mismatch is unexpected.

Instruction Scopeconcern

SKILL.md contains concrete gcalcli commands (agenda, add, delete) which stay within calendar management. But it explicitly refers to API keys/CALDAV credentials as required inputs; those credentials are sensitive and the instructions do not say how they are supplied or stored. The instructions give broad examples but do not constrain where credentials come from, which increases the risk if an agent is given access to environment/config.

Install Mechanismnote

Install is a straightforward pip install gcalcli which is expected for this tool. pip installs are common and reasonable here, but they carry the usual supply-chain risk of installing packages from PyPI. No obscure or remote download URLs are used.

Credentialsconcern

The skill metadata declares no required environment variables, yet SKILL.md explicitly references GOOGLE_CALENDAR_API_KEY or CALDAV_URL/CALDAV_USER/CALDAV_PASS. Sensitive variables (API keys, usernames, passwords) are implied but not declared as required — this is a red flag because the agent or user might be asked to provide or expose secrets without clear metadata or provenance.

Persistence & Privilegeok

The skill does not request always:true and does not claim to modify other skills or global agent config. Agent autonomous invocation is allowed (the platform default) but that by itself is expected for typical skills.

Guidance

Before installing, ask the publisher to update the skill metadata to declare exactly which credentials it needs (GOOGLE_CALENDAR_API_KEY, or CALDAV_* variables) and how those credentials are used/stored. Verify the source of the skill (there is no homepage or repository listed) and prefer installing gcalcli yourself rather than having the agent run pip automatically. Be cautious about giving the agent access to environment variables or config files that contain API keys or passwords; if you must use this skill, store credentials in a secure place (not a shared env) and run the skill in a sandboxed account. Finally, confirm how gcalcli will authenticate (OAuth client files, token cache like ~/.gcalcli_oauth, or plain API keys) so you know where secrets will live on disk.

Latest Release

v1.0.0

Initial publish

More by @Xejrax

File Search

8 stars

Pdf Extract

7 stars

Image Ocr

6 stars

System Info

3 stars

Media Player

2 stars

Dns Lookup

0 stars

Published by @Xejrax on ClawHub