What this is
This guide documents the technical security boundaries enforced when you connect your calendar to the TutorClaw system.
Why it matters
Keeping calendar access read-only prevents the assistant from accidentally or maliciously modifying your personal or work schedules.
🔒 Strictly Read-Only Access
Calendar Safety Boundary
TutorClaw can read calendar events only. It cannot create, edit, delete, move, invite, or cancel calendar events.
By design, this read-only calendar setup ensures TutorClaw has absolutely no write, delete, or scheduling permissions on your Google Account. Even if you explicitly type a prompt asking the assistant to book or modify an appointment, it will inform you that its permissions are strictly read-only and that it cannot make changes.
📂 Private Local Files
Your calendar credentials are stored in two files inside your project directory: credentials.json and token.json. These files remain exclusively on your local machine and are never uploaded to any external server.
🔐 Token Safety Rules
- Do not share: Never send your calendar token files to anyone in chat or emails.
- Do not package: Always exclude or delete
credentials.jsonandtoken.jsonbefore copying or compressing your TutorClaw folder for others. - Revoke easily: You can revoke calendar access at any time by going to myaccount.google.com/permissions and removing the TutorClaw application.
Use Chat as the Lab
To verify this safety boundary, open your chat window (the lab) and test these questions:
Can you reschedule my appointments?Show me my calendar safety limits.