Is google-calendar safe?

https://clawhub.ai/AdrianMiller99/google-calendar

72
CAUTION

This Google Calendar skill provides legitimate calendar API functionality with clean installation behavior and no prompt injection risks. However, it persists OAuth access tokens as plaintext files in the user's home directory (~/.config/google-calendar/secrets.env), creating a credential theft vector for co-installed skills or local processes. The requirement for high-value OAuth credentials (client_secret, refresh_token) as environment variables further expands the attack surface.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (7)

HIGH Plaintext credential persistence to disk -35

refresh_token.py writes the Google OAuth access token in plaintext to ~/.config/google-calendar/secrets.env. This file persists across sessions and is readable by any process running as the same user. Access tokens grant read/write access to the user's Google Calendar.

MEDIUM High-value OAuth credentials in environment variables -20

The skill requires GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, and GOOGLE_REFRESH_TOKEN as environment variables. Any co-installed skill or subprocess running in the same environment can read these values, which together allow generating unlimited access tokens for the user's Google account.

MEDIUM Python scripts write files outside skill directory -25

refresh_token.py creates and writes to ~/.config/google-calendar/secrets.env, which is outside the skill's installation directory. This demonstrates the skill's ability to modify the user's home directory filesystem.

MEDIUM Executable Python scripts with HTTP capabilities -20

Two Python scripts make HTTP POST/GET/PUT/DELETE requests to external endpoints. While the targets are legitimate Google APIs, the urllib-based HTTP client could theoretically be modified to target any endpoint.

LOW Included virtual environment configuration -5

A pyvenv.cfg file exists at scripts/venv/pyvenv.cfg, indicating a Python virtual environment was partially included in the repository. While only the config file appears present (no binaries), this is atypical for a skill distribution.

LOW Full event data exposure during updates -10

The update_event function performs a GET to retrieve the complete event object before patching fields. This means the skill processes full event details (attendees, descriptions, locations) even when only updating a title, increasing the data exposure surface.

INFO Clean installation behavior 0

No suspicious network, process, or filesystem activity was detected during skill installation. The OpenClaw runtime's own file accesses (config files, jiti cache) are expected and benign.