← 返回 Skills 市场

Calendar Reminders (gcalcli + CalDAV)

Name: Calendar Reminders (gcalcli + CalDAV)
Author: adorostkar

作者 adorostkar · GitHub ↗ · v0.1.1

cross-platform ⚠ suspicious

1885

总下载

当前安装

版本数

在 OpenClaw 中安装

/install calendar-reminders

功能描述

Provides a config-driven wrapper around gcalcli plus optional CalDAV integration to generate JSON reminder plans for scheduling one-shot OpenClaw reminders.

使用说明 (SKILL.md)

gcalcli calendar wrapper + reminder planner

This skill provides:

scripts/calendar — wrapper around gcalcli
scripts/calendar_reminder_plan.py — produces a JSON plan for reminder scheduling
references/openclaw-calendar.example.json — example config format

Config

Copy the example config to a private location and edit it:

Default path: ~/.config/openclaw/calendar.json
Override with env: OPENCLAW_CALENDAR_CONFIG=/path/to/calendar.json

Requirements

Required: python3, gcalcli
Optional (for CalDAV/iCloud): vdirsyncer, khal

Security notes (why ClawHub may flag this)

This skill invokes external binaries and is config-driven.

The planner runs gcalcli/khal using subprocess.check_output([...], shell=False) (argument-list form; safe against shell injection from event titles).
If you wire a cron job to run vdirsyncerSyncCommand, make sure you run it as an argv list (subprocess.run(cmd_list, shell=False)), not as a shell string.
Only point gcalcliPath / khalBin to trusted binaries (prefer absolute paths). Don’t run untrusted paths.

Auth (Google)

gcalcli requires OAuth. On headless servers you may need SSH port-forwarding. The wrapper uses --noauth_local_server to print instructions.

Reminder planning

The planner outputs a JSON blob describing reminders to schedule. A separate cron job (or an agent turn) can read it and create one-shot OpenClaw reminders.

Defaults:

Ignore birthdays.
Timed events are considered important.
All-day events only trigger reminders if their title matches configured keywords.

Wiring a daily reminder scheduler (OpenClaw)

Create a daily cron job (e.g. 00:05 local time) that:

If CalDAV is enabled in config, runs the configured vdirsyncer sync command.
Runs scripts/calendar_reminder_plan.py to get a JSON plan.
For each planned reminder, creates a one-shot OpenClaw systemEvent reminder at reminderAtUtc.
Writes a small state file so you don’t schedule duplicates.

(Our skill intentionally provides the wrapper + planner; scheduling is left to your cron/agent wiring.)

安全使用建议

This skill appears to do what it says: it reads your calendar tools (gcalcli and optionally khal/vdirsyncer) and emits a JSON plan of one-shot reminders. Before installing/using it: 1) Confirm the registry metadata omission — ensure you have python3, gcalcli (and khal/vdirsyncer if you enable CalDAV) installed and configured. 2) Verify gcalcli/khal are trusted binaries (use absolute paths in config) so the script does not end up executing an unexpected program. 3) Understand that OAuth/CalDAV credentials are handled by those clients — the skill will inherit whatever local credentials they use, so keep those credentials private. 4) Review where the state file will live (default ~/.local/state/openclaw/calendar-reminders-state.json) and who can read/write it. 5) If you wire a cron job to run vdirsyncer, run it as an argv list (no shell string) as advised in the SKILL.md to avoid shell-injection risk. If you want higher assurance, inspect the remainder of the included script (the truncated portion) to confirm it doesn't write unexpected network calls or state outside the declared paths.

功能分析

Type: OpenClaw Skill Name: calendar-reminders Version: 0.1.1 The skill is classified as suspicious due to its reliance on executing external binaries (`gcalcli`, `khal`, and potentially `vdirsyncer`) whose paths are configurable in `~/.config/openclaw/calendar.json`. This introduces a Remote Code Execution (RCE) vulnerability if an attacker can modify the configuration file to point to arbitrary executables. While the `SKILL.md` documentation explicitly warns the agent/user about this risk and advises on secure practices (e.g., 'Only point `gcalcliPath` / `khalBin` to **trusted binaries**'), the inherent capability to execute user-defined binary paths makes it a significant security concern. The Python script `scripts/calendar_reminder_plan.py` does correctly use `subprocess.check_output` with argument lists (defaulting to `shell=False`), mitigating shell injection from event data, and the example config provides `vdirsyncerSyncCommand` as a safe argument list.

能力评估

ℹ Purpose & Capability

Name/description describe a gcalcli + CalDAV reminder planner and the included Python script and example config implement that. One minor incoherence: the registry metadata claims no required binaries, but SKILL.md and the script clearly expect python3 and gcalcli (and optionally khal/vdirsyncer). This appears to be an omission in metadata rather than malicious behavior.

✓ Instruction Scope

Runtime instructions and the script only read a user config (~/.config/openclaw/calendar.json or path set by OPENCLAW_CALENDAR_CONFIG), optionally read a state file under ~/.local/state, and call gcalcli/khal/vdirsyncer to collect events. The skill does not try to read unrelated system files, request unrelated env vars, or post data to remote endpoints. Subprocess calls use argument lists (no shell=True), which the README notes and the code uses.

✓ Install Mechanism

There is no install spec (instruction-only + included script). Nothing is downloaded or written by an installer in the bundle. Risk is limited to executing the included Python script and whatever user-installed calendar tools (gcalcli/khal/vdirsyncer) do.

ℹ Credentials

The skill does not request secrets directly; it relies on local gcalcli OAuth credentials and any CalDAV credentials the user has configured. This is proportionate to its purpose, but users should be aware that gcalcli/khal will use stored OAuth/CalDAV credentials — the skill itself will inherit environment variables and will run external binaries, so ensure those clients' credentials are stored securely and that you point gcalcliPath/khalBin to trusted absolute paths.

✓ Persistence & Privilege

The skill is not always-enabled and does not request elevated privileges. It is intended to be invoked by a cron job or agent run; it may read or write a small state file under the user's home directory (expected behavior to avoid duplicate reminders). It does not attempt to modify other skills or system-wide configuration.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install calendar-reminders
安装完成后，直接呼叫该 Skill 的名称或使用 /calendar-reminders 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.1.1

Handle Google auth failures cleanly; planner continues when Google is unavailable; add security wiring notes for vdirsyncer/binary paths.

v0.1.0

Initial release: config-driven gcalcli wrapper + reminder planner JSON; optional CalDAV source via vdirsyncer+khal.

元数据

Slug calendar-reminders

版本 0.1.1

许可证 —

累计安装 12

当前安装数 12

历史版本数 2

常见问题