Secured Calendar management - Google Calendar, Microsoft Outlook & Exchange - list, search, create, update, delete, and respond to calendar events across mul...
Security Analysis
high confidenceThe skill's requirements and runtime instructions are coherent with a calendar-management CLI: it needs the porteden binary and a PE_API_KEY and instructs the agent to call that CLI — nothing in the package indicates it is trying to do unrelated or hidden work.
Name/description, declared binary requirement (porteden), install instructions (brew/go) and primaryEnv (PE_API_KEY) all align with a CLI-based calendar integration. Requesting a PE_API_KEY and a local 'porteden' binary is proportionate to the stated purpose.
SKILL.md contains only CLI usage for porteden (listing, searching, creating, updating, deleting events) and instructions to authenticate via browser or token. It explicitly notes credentials persist in the system keyring and recommends using PE_API_KEY in the environment. One minor inconsistency: SKILL.md references additional optional env vars (PE_PROFILE, PE_TIMEZONE, PE_FORMAT, PE_COLOR, PE_VERBOSE) that are not declared in the registry's requires.env list — this is informational but not malicious. No instructions request unrelated files, system-wide config, or external endpoints beyond the porteden CLI behavior.
Install options are brew (porteden/tap/porteden) or go install from github.com/porteden/cli — both are normal package install paths for a CLI. There are no arbitrary URL downloads or extract-from-unknown-host steps in the manifest. Note: the brew tap is a third-party tap (porteden/tap) rather than Homebrew/core; verify you trust that tap if installing via brew.
Only one required credential (PE_API_KEY) is declared and used as the primary credential, which is appropriate. SKILL.md mentions additional optional env vars for convenience but does not require unrelated credentials. The CLI persists credentials to the system keyring — expected for a CLI but worth noting because it creates local persistent access to calendar accounts.
The skill is not force-included (always:false) and does not request elevated privileges or modify other skills. It relies on a local CLI which stores tokens in the system keyring (local persistence) — normal for this type of tool. Autonomous invocation is allowed (platform default); if you enable the skill for autonomous actions, the agent will be able to run the porteden CLI and access any credentials available to it.
Guidance
This skill is coherent: it simply directs the agent to run the porteden CLI and use PE_API_KEY or an interactive/browser login. Before installing, verify you trust the PortEden project and the brew tap or GitHub repo used for go install. Understand that PE_API_KEY grants access to your calendars — consider creating a least-privilege API key or a dedicated profile, and avoid putting long-lived keys in global shells. Note that the CLI stores credentials in the system keyring (persistent local access); if you are concerned about persistence, prefer temporary tokens and remove them after use. Finally, if you plan to allow autonomous agent actions, remember the agent will be able to run the CLI and read/write calendar events, so review access and consent settings accordingly.
Latest Release
v1.0.3
- Updated description to emphasize secured calendar management. - No functional or command changes; documentation and metadata only. - No file changes detected in this release.
More by @porteden
Published by @porteden on ClawHub
