Is bigdonuts0/caldav-calendar-1-0-1 safe?

https://github.com/openclaw/skills/tree/main/skills/bigdonuts0/caldav-calendar-1-0-1

92
SAFE

The caldav-calendar skill (bigdonuts0/caldav-calendar-1-0-1) is a clean, well-scoped CalDAV integration guide with no prompt injection, no embedded executable code, no malicious install-time behavior, and confirmed canary file integrity. Installation consisted solely of a legitimate GitHub sparse-checkout clone with no unexpected network connections or filesystem modifications. The primary risk is inherent to the skill's function: vdirsyncer transmits calendar data to external CalDAV servers, and credentials are stored in plain-text local files per standard vdirsyncer conventions. A secondary prompt-injection path exists if a user configures a malicious CalDAV server that returns crafted calendar event content processed by the agent.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 83/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (5)

LOW Inherent External Data Transmission via CalDAV Sync -12

The skill's core function — vdirsyncer sync — transmits calendar data bidirectionally with external CalDAV servers. While this is fully declared and expected behavior, it means all calendar events (including potentially sensitive meeting titles, descriptions, and attendee info) are sent to third-party servers under user configuration. An attacker who tricks a user into configuring a malicious CalDAV URL gains calendar data access.

LOW Plain-Text Credential Storage Pattern -5

The configuration template instructs storing CalDAV passwords in plain-text files (e.g., ~/.config/vdirsyncer/icloud_password) fetched via 'cat'. While this is the standard vdirsyncer pattern, it creates a credential file that could be read by other skills or processes with filesystem access.

INFO Expected GitHub Connection During Installation 0

The installation process connected to 140.82.121.3:443 (GitHub) to perform a sparse git clone. This is fully expected and attributable to the oathe installation framework fetching the skill from the openclaw/skills monorepo.

INFO Canary File Reads Attributable to Monitoring Framework 0

Six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened and read at 04:45:50 (pre-install baseline) and 04:46:07 (post-install verification). All reads are CLOSE_NOWRITE (read-only by the monitor) and the monitoring framework confirms all canary files intact. These accesses are from the oathe audit system itself, not the skill.

INFO CalDAV Event Content Could Carry Injected Payloads from Malicious Server -20

If a user configures a malicious CalDAV server URL, that server could return .ics calendar events containing adversarial content in SUMMARY, DESCRIPTION, or LOCATION fields. When khal displays these events or the agent processes them, injected instructions in event content could constitute a prompt injection path through calendar data. This is a secondary risk conditional on user misconfiguration.