by 安全扫描
OpenClaw
可疑
medium confidence该技能仅用于运行 Google Calendar CLI 命令以更新事件标题,但忽略了所需 'gog' 二进制文件的来源和凭据信息,并隐式依赖本地 CLI 认证,这是安装前应了解的潜在不匹配点。
评估建议
Before installing: verify what 'gog' is (official Google tool or third-party) and only use a vetted binary from an official source. Ensure the CLI is configured with the minimum OAuth scopes needed to edit event summaries and that you understand which local credentials/config files it will read. Test the command manually in a safe account or isolated environment to confirm behavior. If you need a stricter security posture, require the skill documentation to declare credential/config path expecta...详细分析 ▾
ℹ 用途与能力
The skill's name, description, and instructions all claim a single, narrow purpose (update only an event summary) and the required 'gog' binary aligns with that purpose — executing a native CLI is reasonable for this task. However, the skill does not document where 'gog' comes from (official Google tool vs third-party), which matters for trust.
✓ 指令范围
SKILL.md instructs a single CLI invocation (gog calendar update <calendarId> <eventId> --summary "...") and to validate the returned JSON; it does not instruct reading arbitrary files or exfiltrating data. The validation/retry loop is narrow and limited to the task.
✓ 安装机制
There is no install spec (instruction-only), so nothing is written to disk by the skill itself. That reduces risk, but the runtime requires an external binary ('gog') already present on the system.
⚠ 凭证需求
The skill declares no environment variables or config paths, yet using a Google CLI typically requires authenticated credentials/config stored locally (OAuth tokens, config files). This implicit reliance on existing CLI authentication is not documented. The 'gog' binary may also access the filesystem or network when executed — that privilege isn't represented in the metadata.
✓ 持久化与权限
always:false (no forced permanent inclusion) and autonomous invocation is allowed (platform default). The skill does not request elevated persistent privileges or modify other skills' configs.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install google-calendar-update-summary
镜像加速npx clawhub@latest install google-calendar-update-summary --registry https://cn.longxiaskill.com镜像同步中
技能文档
精益哲学(原则) Kaizen(改善):此技能为原子节点,仅允许更新事件摘要(标题),杜绝模式幻觉,确保单一职责。
Standardized Work(Hyojun Sagyo):该节点代表自动化前完成此任务最高效、标准化的路径。
Jidoka(自働化):该节点具备自主缺陷检测功能,依赖 CLI 的自修复循环;若更新失败则报错。你必须验证输出,确认摘要已更新。
Google Calendar Update Summary 该技能允许 agent 通过原生 CLI 更新 Google Calendar 中已有事件的摘要(标题),不修改时间、地点或参与者。
认知指令 WHEN [需修改已有事件标题/摘要] THEN [执行原生终端命令 gog calendar update --summary "..."]
模式示例 { "command": "gog calendar update primary event_id_123 --summary \"Updated Sync Meeting\" --json" }
Jidoka 验证循环 尝试:执行命令。 评估:检查 JSON 响应,确认摘要与请求字符串一致。 修正/失败:若失败或出现参数幻觉,按确切错误重试,最多 3 次(max_retries=3)。 继续:返回最终有效 JSON。
预期输出 返回 JSON 对象,确认事件详情已更新为新摘要。