← 返回 Skills 市场

Opys Calendar Skill

Name: Opys Calendar Skill
Author: 21j3phy

作者 21J3phy · GitHub ↗ · v0.1.2

cross-platform ⚠ suspicious

489

总下载

当前安装

版本数

在 OpenClaw 中安装

/install opys-calendar

功能描述

A local markdown-backed calendar with CLI and optional two-way Google Calendar sync.

安全使用建议

This package is internally consistent with its description, but review and handle sensitive artifacts carefully before installing or running it: 1) Protect Google OAuth credentials (GOOGLE_CLIENT_ID/GOOGLE_CLIENT_SECRET) and only set them if you intend to enable Google sync. 2) The app will persist session tokens and sync mappings to .calendar-sessions.json and .calendar-google-sync-state.json in the project root — these files contain tokens/IDs that should be kept private; consider adding them to .gitignore or removing any seed files shipped in the repo. 3) The agent snapshot (agent-snapshot.md by default) will contain recent and upcoming events and can be pointed to any path via CALENDAR_AGENT_SNAPSHOT — do not set this to a location where sensitive data should not be written. 4) The repo includes dev scripts (Playwright screenshots, etc.) and a full Node app; run npm install only from a trusted environment and inspect the code if you have strict security requirements. 5) If you don't need Google sync, leave OAuth env vars unset to avoid creating persisted tokens. If you want more assurance, ask the author for provenance (homepage/source URL verification) or run the code in an isolated environment first.

功能分析

Type: OpenClaw Skill Name: opys-calendar Version: 0.1.2 The skill is classified as suspicious due to several security vulnerabilities and oversights. Most notably, the `.calendar-google-sync-state.json` and `.tmp-recent-calendar.md` files contain PII (an example email address) and local file paths, which are sensitive data leaks within the skill bundle itself. Additionally, the `CALENDAR_AGENT_SNAPSHOT` environment variable in `scripts/calendar-cli.ts` could potentially be exploited for arbitrary file writes if an attacker can control its value, posing a path traversal vulnerability. The `server/index.ts` also uses a permissive CORS configuration (`origin: true`), which could be a security risk in certain deployment scenarios.

能力评估

✓ Purpose & Capability

Name/description match the code and instructions: the repo provides a CLI, a React UI, an Express API server, and optional two-way Google Calendar sync. The environment variables and local files referenced (calendar.md, snapshot, sync state) are consistent with a local-first calendar with optional Google OAuth.

ℹ Instruction Scope

SKILL.md keeps scope focused on reading/writing calendar.md and using the CLI for mutating actions. It also instructs the agent to write a rolling snapshot (default ./agent-snapshot.md) and documents optional Google OAuth env vars. This is expected for an agent-first calendar, but the snapshot and session persistence are effectively data-export operations worth noticing.

✓ Install Mechanism

No install spec is declared (instruction-only from platform perspective), but the package contains normal Node.js code and a package.json with common deps (express, dotenv, fullcalendar, etc.). There are no download-from-URL installs or unusual third-party installers in the repo metadata.

ℹ Credentials

Requested environment variables (Google OAuth client id/secret/redirect URI, APP_BASE_URL, PORT, and snapshot config) are proportional to optional Google sync and running the local server. They are optional in package.json. Be aware that supplying GOOGLE_CLIENT_SECRET enables the app to obtain OAuth tokens which the server persists locally.

ℹ Persistence & Privilege

The server and CLI persist multiple files to the project root: agent snapshots (agent-snapshot.md by default or as configured by CALENDAR_AGENT_SNAPSHOT), .calendar-google-sync-state.json, and a session store (.calendar-sessions.json). Persisting OAuth tokens and calendar snapshots on disk is expected for this functionality but increases local data exposure and requires filesystem protection.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install opys-calendar
安装完成后，直接呼叫该 Skill 的名称或使用 /opys-calendar 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.1.2

- Added an environment variable manifest and details to SKILL.md, clarifying supported env variables and their purposes. - Changed the default agent snapshot file path from an absolute path to a relative one (`./agent-snapshot.md`) in documentation. - Updated the skill name and description section with an explicit env manifest block. - Improved documentation structure for clarity, especially regarding environment variable configuration.

v0.1.1

- Added scripts/check_error.js for error checking automation. - Added scripts/take_screenshots.js to support automated screenshot capture. - No changes to core calendar or sync functionality.

v0.1.0

Initial release of opys-calendar skill. - Provides CLI commands to add, update, check, delete events, and manage categories in a markdown-backed calendar. - Synchronizes events with Google Calendar via UI-based sync controls. - Enforces safe update/query flows with conflict detection and resolution options. - Maintains authoritative event records in `calendar.md` using YAML blocks. - Automatic snapshots of recent changes for safety and audits. - UI supports event management actions except creation (CLI-only for adding events). - Includes import/export functionality for backup and restore.

元数据

Slug opys-calendar

版本 0.1.2

许可证 —

累计安装 0

当前安装数 0

历史版本数 3

常见问题

Opys Calendar Skill 是什么？

A local markdown-backed calendar with CLI and optional two-way Google Calendar sync. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 489 次。

如何安装 Opys Calendar Skill？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install opys-calendar」即可一键安装，无需额外配置。

Opys Calendar Skill 是免费的吗？

是的，Opys Calendar Skill 完全免费（开源免费），可自由下载、安装和使用。

Opys Calendar Skill 支持哪些平台？

Opys Calendar Skill 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Opys Calendar Skill？

由 21J3phy（@21j3phy）开发并维护，当前版本 v0.1.2。