Scan Report
5 /100
calendar-crab
Google Calendar CLI — list, create, move, and delete events
Clean Google Calendar CLI with legitimate OAuth implementation, no malicious behavior detected.
Safe to install
This skill is safe to use. No security concerns identified.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Token file write not explicitly declared Doc Mismatch | calendar-crab.js:74 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ+WRITE | ✓ Aligned | Reads/writes to ~/.openclaw/secrets for OAuth tokens - necessary for OAuth flow |
| Network | READ | READ | ✓ Aligned | HTTPS requests only to oauth2.googleapis.com and www.googleapis.com (Google APIs… |
| Shell | NONE | NONE | — | No subprocess, exec, or shell execution detected |
| Environment | READ | READ | ✓ Aligned | Reads CALENDAR_CRAB_SECRETS, CALENDAR_CRAB_TZ, CALENDAR_CRAB_CALENDAR - all decl… |
5 findings
Medium External URL 外部 URL
https://console.cloud.google.com/ README.md:33 Info Email 邮箱地址
[email protected] SKILL.md:31 Info Email 邮箱地址
[email protected] SKILL.md:31 Info Email 邮箱地址
[email protected] calendar-crab.js:176 Info Email 邮箱地址
[email protected] calendar-crab.js:176 File Tree
3 files · 15.2 KB · 506 lines JavaScript 1f · 331L
Markdown 2f · 175L
├─
calendar-crab.js
JavaScript
├─
README.md
Markdown
└─
SKILL.md
Markdown
Security Positives
✓ Zero external dependencies - no supply chain risk
✓ Native Node.js https.request used for API calls - no curl/wget
✓ Network requests limited to legitimate Google APIs (oauth2.googleapis.com, www.googleapis.com)
✓ No shell execution, subprocess, or eval() calls
✓ No credential harvesting or exfiltration
✓ No obfuscation or hidden functionality
✓ OAuth implementation follows standard Google OAuth2 flow
✓ Access tokens stored locally in user's secrets directory (~/.openclaw/secrets)