Should you connect Calendar?Yes — read-only, high value
Best use caseMorning briefing + automatic meeting prep
Agent scheduling?Yes — agent owns a separate calendar, invites you to events
Time saved~15-30 min/day (with 2-3 meetings)
1. What Calendar Integration Enables
Morning Briefing (Highest Value)
Cron: 7 AM NanoClaw scheduler
→
Read Calendar today's events
→
Cross-Ref network/ profiles
→
Generate Brief attendee context
→
WhatsApp morning message
Example output: "3 meetings today. 10 AM: John Smith (Tier 1 allocator, last contact 30 days ago — you discussed his fund mandate). 2 PM: Sarah Jones (new contact, LinkedIn summary attached). No conflicts."
Automatic Meeting Prep
The agent reads an upcoming event, extracts attendees, then runs your meeting prep framework automatically. The prep brief lands in WhatsApp before you even think about it. This is your existing .claude/frameworks/meeting_prep/ triggered by calendar data rather than manual requests.
Agent-Owned Calendar (The Right Pattern)
Instead of giving the agent write access to your calendar, the agent owns its own Google Calendar and invites you to events. This way:
The agent can freely create, modify, and delete events on its own calendar
You receive invitations and accept/decline as normal
Your personal calendar is never directly writable by the agent
If something goes wrong, you just stop accepting invites — no damage to your calendar
Two-calendar pattern: The agent has read-only access to YOUR calendar (for briefings/prep) and full write access to ITS OWN calendar (for scheduling). Events flow to you as invitations. Clean separation of concerns.
Full Feature Matrix
Feature
How
Value
Recommendation
Morning briefing
Read-only on YOUR calendar
High
Do it
Auto meeting prep
Read-only on YOUR calendar + network/ profiles
Very high
Do it
Schedule meetings
Agent creates event on ITS calendar, invites you + attendees
High
Do it
Conflict detection
Read free/busy on YOUR calendar before scheduling
Medium
Do it
Modify YOUR events
—
—
Never
2. Security Model
Two-Calendar OAuth Setup
The agent needs a Google account (e.g. a service account or a dedicated Google account for the agent). Then:
Calendar
OAuth Scope
Access
Risk
YOUR calendar
calendar.events.readonly
Read events for briefings/prep
Low — cannot modify
YOUR calendar
calendar.freebusy
Check availability before scheduling
Minimal
AGENT's calendar
calendar.events
Full write access to its own calendar
Low — only its own calendar
How invitations work: The agent creates an event on its own calendar with your email as an attendee. Google Calendar automatically sends you an invitation. You see it in your calendar and accept/decline. If the agent messes up, you decline — no damage to your calendar.
Prompt injection via calendar events: A Feb 2026 CVE (CVSS 10/10) demonstrated that malicious text in calendar event descriptions can trigger unintended agent actions. An attacker creates an event with hidden commands — when the agent reads it, it may process them as instructions. Mitigated by container isolation and MCP tool filtering, but the risk exists in any agent that reads untrusted calendar data.[1]
Mitigations
Read-only scope on YOUR calendar — agent physically cannot modify your events
Write access only to AGENT's calendar — worst case, the agent trashes its own calendar (you decline invites)
Query specific calendar IDs only — skip "Personal", "Birthdays", etc. Use a dedicated "Work" calendar
MCP tool filtering — deny write tools on YOUR calendar ID in Claude Code permissions
NanoClaw does not have native Google Calendar integration. However:
It supports MCP servers via .mcp.json
Adding the Google Calendar MCP is a configuration change, not a code change
The scheduled tasks feature already supports daily cron jobs (the briefing infrastructure exists)
The missing piece is just the calendar data source — plugging in the MCP fills this gap
This is the single highest-ROI integration. ~15-30 min/day saved with morning briefings + auto-prep. Read-only access makes it safe. The meeting prep framework you already have gets triggered automatically instead of manually.