← Back to Skills Marketplace
tdewitt

Calendar Hold Sync

by misfit.dev · GitHub ↗ · v1.0.1
cross-platform ⚠ suspicious
815
Downloads
2
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install calendar-hold-sync
Description
Sync one or more source Google calendars into private Busy hold events in one or more target calendars using gog. Use when users need idempotent double-booki...
README (SKILL.md)

Calendar Hold Sync

Implement hold mirroring from source Google calendars into target calendars to prevent double-booking.

Dependency

  • Require gog CLI in PATH.
  • Require user OAuth already configured for each account used in mappings.
  • Do not hardcode account emails, calendar IDs, or event IDs in code.

If gog is not configured, use this setup flow:

  1. Run gog auth credentials /path/to/client_secret.json.
  2. Run gog auth add [email protected] --services calendar.
  3. Verify with gog auth list.

Only add additional Google services if you explicitly need them for another workflow.

Official gog references:

Config Contract

Use a user-provided JSON config file with this shape:

  • mappings[]
  • mappings[].name
  • mappings[].targetAccount
  • mappings[].targetCalendarId (default primary)
  • mappings[].sources[] with { account, calendarId }
  • mappings[].lookaheadDays (default 30)
  • mappings[].allDayMode: ignore|mirror
  • mappings[].overlapPolicy: skip|allow
  • hold.summary (default Busy)
  • hold.visibility (private)
  • hold.transparency (busy)
  • hold.notifications (none)
  • hold.reminders (none)
  • metadata.format (SYNCV1)
  • metadata.encoding (base64url(json))
  • metadata.fields: srcAccount,srcCalendar,eventId,start,end,title
  • scheduling.reconcileCron
  • scheduling.daytimeCron (optional)
  • scheduling.driftWindowDays (optional)
  • scheduling.watchIntervalSeconds (optional, default 20)
  • safety.dryRun
  • safety.maxChangesPerRun
  • safety.excludeIfSummaryMatches[]
  • safety.excludeIfDescriptionPrefix[]
  • gog.listEventsCmd|createEventCmd|updateEventCmd|deleteEventCmd (optional template overrides)
  • gog.allowCustomCommands (must be true to enable any gog.*Cmd override)

Custom Command Template Safety

When custom commands are enabled:

  • Only gog command templates are accepted.
  • Templates are rendered by replacing placeholders like {account} and {calendarId}.
  • Rendered commands are executed as argv tokens (no shell interpolation).
  • Keep gog.allowCustomCommands=false unless you fully trust and audit the config file.

Metadata Encoding

Store source linkage in hold description as:

  • SYNCV1:\x3Cbase64url(JSON)>

JSON fields:

  • srcAccount
  • srcCalendar
  • eventId
  • start
  • end
  • title

Behavior

For each mapping:

  1. Read source events in the active window.
  2. Build desired hold events (private, busy, no reminders).
  3. Detect existing managed holds by SYNCV1: prefix.
  4. Reconcile idempotently:
  • Create missing holds.
  • Update drifted holds.
  • Delete stale holds.
  1. If overlap policy is skip, do not create a hold when a non-managed target event overlaps.
  2. Enforce maxChangesPerRun.
  3. Respect dryRun.

Backfill

Backfill mode upgrades legacy hold events (matching expected hold signature but lacking SYNCV1) by attaching encoded metadata when a unique source match exists.

Command Surface

  • hold-sync validate-config
  • hold-sync reconcile --mapping \x3Cname>|--all [--dry-run]
  • hold-sync backfill --mapping \x3Cname>|--all [--dry-run]
  • hold-sync status --mapping \x3Cname>|--all
  • hold-sync install-cron --mapping \x3Cname>|--all
  • hold-sync watch --mapping \x3Cname>|--all [--dry-run] [--interval-seconds \x3Cn>]

Watch Cadence

Require watch cadence to be configurable from user config:

  • scheduling.watchIntervalSeconds controls watch poll frequency.
  • mappings[].lookaheadDays controls rolling watch/reconcile window.

Recommend baseline values:

  • watchIntervalSeconds: 900 (15 minutes)
  • lookaheadDays: 1 (24 hours)

Working Model

  • Use polling-based watch mode (hold-sync watch) for fast updates.
  • Expect update latency approximately equal to watchIntervalSeconds.
  • Treat this as self-hosted/operator-run automation.

Known Limits

  • Do not assume webhook/push subscriptions are present; current fast sync path is polling.
  • Keep periodic scheduled reconcile as fallback even when watch mode is enabled.

Required Tests

  • metadata encode/decode round-trip
  • overlap detection correctness
  • idempotent reconcile upsert/delete behavior

Attribution: gog setup flow adapted from:

Provider Notes (openclaw)

Use this variant when publishing to ClawHub/OpenClaw.

  • Keep instructions implementation-focused and command-oriented.
  • Keep dependency explicit: gog must be preconfigured by user.
  • Prefer deterministic script execution over speculative edits.
  • Avoid provider-specific APIs; treat the CLI as the boundary.
Usage Guidance
Before installing or enabling this skill: 1) Recognize you must install and configure the gog CLI and perform Google OAuth account setup (client_secret.json and 'gog auth add') — the registry metadata does not reflect this dependency, so verify it yourself. 2) Keep 'gog.allowCustomCommands' false unless you fully trust and have audited the config file; custom command templates are a possible attack surface even though the skill claims commands are executed without shell interpolation. 3) Protect client_secret.json and any OAuth tokens; only use dedicated test calendars and dryRun=true when first testing (sample config sets dryRun:true). 4) Validate the mapping config and limits (maxChangesPerRun, exclude rules) to avoid unintended mass changes. 5) If you need higher assurance, ask the publisher to correct the package metadata to list 'gog' as a required binary and to provide a signed homepage/source link; absence of that information lowers confidence in packaging quality.
Capability Analysis
Type: OpenClaw Skill Name: calendar-hold-sync Version: 1.0.1 The skill is classified as suspicious due to the presence of a `gog.allowCustomCommands` configuration option, which, if enabled by the user, allows overriding `gog` CLI commands with templates. While the documentation in SKILL.md and README.md claims that rendered commands are executed as `argv` tokens (no shell interpolation), this is a critical vulnerability surface if the underlying execution environment's sanitization is imperfect, potentially leading to command injection. Additionally, the `install-cron` command provides a persistence mechanism, which is a high-privilege action, though it is a legitimate feature for a sync service. The skill itself does not contain malicious instructions or attempt to exploit these capabilities, and it explicitly warns users about the risks of enabling custom commands.
Capability Assessment
Purpose & Capability
The SKILL.md clearly requires the 'gog' CLI and user OAuth credentials to operate, but the registry metadata lists no required binaries or primary credentials. This mismatch is an incoherence: a legitimate calendar sync skill would reasonably require 'gog' (or other Google API access). The absence of that dependency in the declared metadata suggests sloppy packaging or missing metadata and should be fixed or clarified.
Instruction Scope
Instructions are scoped to calendar-sync tasks and describe a config-driven, idempotent reconcile/backfill/watch workflow using gog commands. They instruct the operator to run gog auth flows and to provide a client_secret.json; those are normal for Google API CLI usage. One area to watch: the skill supports configurable 'gog.*Cmd' template overrides. While the skill says rendered commands are executed as argv tokens (no shell interpolation) and requires 'gog.allowCustomCommands=true' to enable overrides, custom commands in a user-provided config can still be a source of risk if the config is untrusted or edited by an attacker.
Install Mechanism
This is an instruction-only skill with no install spec or bundled code; nothing is written to disk by the skill package itself. That reduces installation risk. The README suggests installing gog (e.g., Homebrew) but the skill does not install any binaries itself.
Credentials
The skill does not declare required environment variables in the registry, and its runtime notes indicate only optional conveniences (e.g., setting GOG_ACCOUNT). The real credential requirement is user OAuth via gog (client_secret.json and authenticated accounts). That is proportional to the task, but sensitive artifacts (client_secret.json, OAuth tokens) are necessary and must be handled securely. The earlier metadata omission of the gog dependency is the main proportionality inconsistency.
Persistence & Privilege
The skill does not request always:true or other elevated platform privileges. It is user-invocable and allows autonomous model invocation by default (platform default) but does not request permanent inclusion or to modify other skills' configurations.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install calendar-hold-sync
  3. After installation, invoke the skill by name or use /calendar-hold-sync
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Updated dependency instructions to clarify only required Google services should be added in `gog` setup. - Added new section "Custom Command Template Safety" describing how custom `gog` command templates are handled and their execution safety. - Introduced a "Working Model" section to explain polling-based watch mode and expected update behavior. - Added "Known Limits" section to highlight lack of webhook support and importance of scheduled reconcile as fallback. - Minor clarifications and improved command guidance in dependency setup for clarity and safety.
v1.0.0
Config-driven Google Calendar hold sync for OpenClaw. Mirrors one or more source calendars into private Busy hold events in target calendars to prevent double-booking. Uses gog (user OAuth), supports idempotent reconcile/backfill/status, scheduled cron sync, and polling-based watch mode. Repo: https://github.com/misfitdev/skills/tree/main/skills/calendar-hold-sync
Metadata
Slug calendar-hold-sync
Version 1.0.1
License
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is Calendar Hold Sync?

Sync one or more source Google calendars into private Busy hold events in one or more target calendars using gog. Use when users need idempotent double-booki... It is an AI Agent Skill for Claude Code / OpenClaw, with 815 downloads so far.

How do I install Calendar Hold Sync?

Run "/install calendar-hold-sync" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Calendar Hold Sync free?

Yes, Calendar Hold Sync is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Calendar Hold Sync support?

Calendar Hold Sync is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Calendar Hold Sync?

It is built and maintained by misfit.dev (@tdewitt); the current version is v1.0.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments