Is gcalcli-calendar safe?

https://clawhub.ai/lstpsche/gcalcli-calendar

72
CAUTION

This skill is a well-structured Google Calendar management tool that poses no direct code execution or data exfiltration threats. However, it explicitly instructs the agent to auto-execute destructive calendar operations (deletes, edits-via-delete) without user confirmation, suppress command output by default, and bypass gcalcli's built-in safety prompts. These design choices prioritize conversational speed over safety and create meaningful risk of accidental data loss, particularly when the LLM misjudges event matching or when the delete-then-recreate edit pattern fails mid-operation.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (8)

HIGH Auto-execute destructive actions without confirmation -25

The skill explicitly instructs the agent to skip user confirmation for delete and edit operations when the match is deemed 'unambiguous'. This overrides the typical agent safety pattern of confirming destructive actions. While the skill provides rationale (conversational speed), this creates a vector where calendar events can be deleted without the user seeing a confirmation prompt. The 'unambiguous' determination is made by the LLM, which can misjudge intent or match the wrong event.

MEDIUM Output suppression hides executed commands from user -13

The skill instructs the agent to never show CLI commands, flags, or tool details unless the user explicitly asks. This means destructive operations (deletes, bulk edits) happen silently. Users cannot audit what the agent is doing in real-time. Combined with the auto-execute policy, a user may not realize an event was deleted until they check their calendar independently.

LOW Network access via gcalcli to Google APIs -15

The skill requires gcalcli which authenticates via OAuth2 and communicates with googleapis.com. This is legitimate for the skill's purpose but establishes a pattern where the agent has network access through a CLI tool. The skill itself does not exfiltrate data, but the network pathway exists. The README transparently documents this.

INFO Platform runtime reads sensitive config files -8

Filesystem monitoring shows the OpenClaw platform (not the skill itself) reading .env, .aws/credentials, .openclaw/openclaw.json, and .profile/.bashrc during skill installation. This is platform behavior, not skill-initiated, but worth noting as the execution environment has access to these files.

INFO No executable code present -10

The skill contains only markdown instruction files, JSON metadata, and no executable code, install scripts, git hooks, submodules, or symlinks. This is a pure prompt-injection-style skill (instructions only).

MEDIUM Delete-then-recreate pattern for edits risks data loss -20

The skill's approach to editing events is to delete the original and recreate it with new properties. If the recreate step fails (API error, rate limit, malformed input), the original event is permanently lost. There is no rollback mechanism. Combined with auto-execute, this could result in silent data loss.

MEDIUM Expanding search windows could expose calendar history -15

The skill progressively expands search windows from 1 day to 14 days to 30 days to 180 days when looking for events. This means a simple query like 'delete my dentist appointment' could scan 6 months of calendar history, exposing sensitive scheduling information to the LLM context window.

LOW Skill uses --iamaexpert flag to bypass gcalcli safety prompts 0

The skill instructs the agent to always use the --iamaexpert flag with delete commands, which bypasses gcalcli's built-in interactive confirmation. While this is a legitimate gcalcli feature for scripted use, it removes another layer of safety that could otherwise catch mistakes.