by 安全扫描
OpenClaw
可疑
medium confidence技能基本正常,但由于始终启用(always: true)和缺乏明确确认步骤,存在未经确认的自动预订或令牌滥用的风险。
评估建议
技能逻辑清晰,但始终启用设置是主要安全风险。建议:移除或修改始终启用设置,使用最低权限令牌,添加明确的用户确认步骤,验证技能作者。...详细分析 ▾
✓ 用途与能力
The skill's name/description (book Calendly meetings) matches the declared requirement (CALENDLY_API_TOKEN) and the SKILL.md shows direct Calendly API calls (users/me, event_types, available times, invitees). Asking for a Calendly API token is appropriate for the stated purpose.
ℹ 指令范围
Instructions are narrowly focused on Calendly API calls via curl and include timezone mapping and booking flow; they do not instruct reading unrelated files or environment variables. However, the SKILL.md shows no explicit user-confirmation step before creating bookings, which means an agent using the skill could create meetings autonomously without a clear consent/confirmation step.
✓ 安装机制
Instruction-only skill with no install spec or downloaded code — minimal disk write/execution risk. The README suggests copying the skill and setting env vars, which is standard for instruction-only skills.
ℹ 凭证需求
Only CALENDLY_API_TOKEN is required, which is proportional for making API calls. Minor inconsistency: metadata lists the env var but 'Primary credential' is unset; not a functional problem but could be clarified. Because the skill can act autonomously (see persistence_privilege), granting a long-lived personal access token increases exposure — use a token with limited scope or rotate it if installed.
⚠ 持久化与权限
The skill sets always: true (force-included in every agent run). That is a significant privilege: it will be present/eligible for invocation on all agent interactions and bypasses some eligibility gates. Combined with the ability to create bookings via the provided token and the lack of an explicit confirmation step, this increases the risk of unwanted or accidental bookings and token misuse.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/8
["首次发布 Calendly 快速预订","通过自然语言即时预订会议,无需共享链接或切换标签","支持直接命令预订,如 \"book [姓名] [邮箱] [时区] [时间]\"","自动映射常见时区缩写到 IANA 格式","自动处理预订、可用性检查和错误消息","需要 CALENDLY_API_TOKEN 环境变量进行身份验证"]
● 无害
安装命令 点击复制
官方npx clawhub@latest install calendly-quick-book
镜像加速npx clawhub@latest install calendly-quick-book --registry https://cn.clawhub-mirror.com
技能文档
通过自然语言预订 Calendly 会议,无需切换标签或共享链接。
默认配置
| 设置 | 值 |
|---|---|
| 默认 Calendly 链接 | https://calendly.com/您的用户名 |
| Calendly 用户名 | 您的用户名 |
命令
| 输入 | 动作 |
|---|---|
book [姓名] [邮箱] [时区] [时间] | 预订会议 |
calendly book [姓名] [邮箱] [时区] [时间] | 预订会议 |
| 字段 | 必需 | 示例 |
|---|---|---|
| 姓名 | 是 | 约翰·史密斯 |
| 邮箱 | 是 | john@acme.com |
| 时区 | 是 | EST、PST、UTC |
| 时间 | 是 | 明天 2点 |
| 输入 | IANA 格式 |
|---|---|
| EST/EDT | America/New_York |
| CST/CDT | America/Chicago |
| MST/MDT | America/Denver |
| PST/PDT | America/Los_Angeles |
| GMT/UTC | UTC |
步骤 1: 获取当前用户
curl -s "https://api.calendly.com/users/me" \
-H "Authorization: Bearer $CALENDLY_API_TOKEN"
步骤 2: 获取事件类型
curl -s "https://api.calendly.com/event_types?user={USER_URI}" \
-H "Authorization: Bearer $CALENDLY_API_TOKEN"
步骤 3: 获取可用时间
curl -s "https://api.calendly.com/event_type_available_times?event_type={EVENT_TYPE_URI}&start_time={START_UTC}&end_time={END_UTC}" \
-H "Authorization: Bearer $CALENDLY_API_TOKEN"
步骤 4: 创建预订
curl -s -X POST "https://api.calendly.com/invitees" \
-H "Authorization: Bearer $CALENDLY_API_TOKEN" \
-H "Content-Type: application/json" \
-d '{ "event_type": "{EVENT_TYPE_URI}", "start_time": "{TIME_UTC}", "invitee": { "name": "{NAME}", "email": "{EMAIL}", "timezone": "{TIMEZONE_IANA}" } }'
响应格式
成功
✅ 预订成功! 📅 [日期] ⏰ [时间] [时区] 👤 [姓名] ([邮箱]) 📍 日历邀请已自动发送
无可用性
⚠️ [时间] 无可用时间最近的槽位: 1. [选项 1] 2. [选项 2] 3. [选项 3]
错误
| 错误 | 响应 |
|---|---|
| 无效邮箱 | 请求确认邮箱 |
| 令牌过期 | 指向 Calendly 设置 |
| 无事件类型 | 指向在 Calendly 中创建一个 |
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制