Back to skill

Security audit

gcal-pro - Google Calendar

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Google Calendar skill, but it can create, update, or delete calendar events without reliably enforcing user confirmation.

Install only if you are comfortable granting Google Calendar access. Prefer read-only use unless you need Pro writes, protect ~/.config/gcal-pro, do not share or display credential files, and require an explicit preview plus confirmation before any create, quick-add, update, or delete action. Enable cron or messaging briefs only for private destinations you trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs use of shell commands, local file access to OAuth secrets and tokens, and networked Google Calendar operations, but it does not declare any permissions or boundaries. In an agent environment, this mismatch can cause overly broad implicit access and reduces transparency for review, increasing the risk of unauthorized file, network, or command execution.

Missing User Warnings

High
Confidence
96% confidence
Finding
The troubleshooting guidance tells users to bypass Google's "unsafe" warning by clicking through to an unverified app without any safety disclaimer or verification steps. This normalizes ignoring browser and OAuth trust warnings, which can train users to override legitimate security protections and expose their Google account data to an unreviewed application.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description says to use it for broad calendar-related requests like checking schedules, adding, editing, deleting, and morning briefs, without clear activation constraints. Overbroad triggers can cause the wrong skill to activate on ambiguous user input, leading to unintended access to sensitive calendar data or accidental calendar modifications.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The create-event guidance activates on vague phrases like 'Add X to my calendar' or 'Schedule Y' without constraints for ambiguity, identity, date resolution, or conflict handling. In a natural-language agent, this increases the chance of unintended event creation from loosely related conversation or incomplete instructions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill recommends sending morning briefs containing calendar contents to messaging channels, which are external destinations, without explicit consent, destination validation, or privacy warnings. Calendar entries often contain sensitive personal, business, location, and meeting information, so automated forwarding can create a confidentiality breach.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide explicitly tells users to bypass Google's unverified-app warning by clicking through an 'unsafe' prompt, without explaining the security implications or limiting this to controlled developer testing. This normalizes overriding a security warning and could train users to authorize unverified OAuth apps that may request sensitive calendar access.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The module hard-codes DEFAULT_TIMEZONE to America/New_York and applies it when parsing and formatting dates. In a calendar skill, this can cause events to be read, displayed, or created at the wrong local time for users in other regions, leading to missed meetings or unintended scheduling changes.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
quick_add performs an immediate write operation against Google Calendar using natural-language text and does not present a pre-action confirmation step. Because natural-language parsing can be ambiguous, this increases the risk of unintended event creation, attendee notifications, and calendar modification from misunderstood user input or prompt injection flowing into the tool call.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
location: Event location
        attendees: List of attendee emails
        calendar_id: Target calendar
        confirmed: Skip confirmation if True
        
    Returns:
        Created event or None
Confidence
93% confidence
Finding
Skip confirmation

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
description: New description (optional)
        location: New location (optional)
        calendar_id: Calendar ID
        confirmed: Skip confirmation if True
        
    Returns:
        Updated event or None
Confidence
94% confidence
Finding
Skip confirmation

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
Args:
        event_id: ID of event to delete
        calendar_id: Calendar ID
        confirmed: Skip confirmation if True
        
    Returns:
        True if deleted successfully
Confidence
98% confidence
Finding
Skip confirmation

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
])
    parser.add_argument("--query", "-q", help="Search query or event text")
    parser.add_argument("--id", help="Event ID for delete/update")
    parser.add_argument("--yes", "-y", action="store_true", help="Skip confirmation")
    
    args = parser.parse_args()
Confidence
90% confidence
Finding
Skip confirmation

Credential Access

High
Category
Privilege Escalation
Content
# Configuration
CONFIG_DIR = Path.home() / ".config" / "gcal-pro"
CLIENT_SECRET_FILE = CONFIG_DIR / "client_secret.json"
TOKEN_FILE = CONFIG_DIR / "token.json"
LICENSE_FILE = CONFIG_DIR / "license.json"
Confidence
86% confidence
Finding
secret.json

Unpinned Dependencies

Low
Category
Supply Chain
Content
# gcal-pro dependencies
google-auth>=2.23.0
google-auth-oauthlib>=1.1.0
google-auth-httplib2>=0.1.1
google-api-python-client>=2.100.0
Confidence
92% confidence
Finding
google-auth>=2.23.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# gcal-pro dependencies
google-auth>=2.23.0
google-auth-oauthlib>=1.1.0
google-auth-httplib2>=0.1.1
google-api-python-client>=2.100.0
pytz>=2023.3
Confidence
92% confidence
Finding
google-auth-oauthlib>=1.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# gcal-pro dependencies
google-auth>=2.23.0
google-auth-oauthlib>=1.1.0
google-auth-httplib2>=0.1.1
google-api-python-client>=2.100.0
pytz>=2023.3
python-dateutil>=2.8.2
Confidence
91% confidence
Finding
google-auth-httplib2>=0.1.1

Unpinned Dependencies

Low
Category
Supply Chain
Content
google-auth>=2.23.0
google-auth-oauthlib>=1.1.0
google-auth-httplib2>=0.1.1
google-api-python-client>=2.100.0
pytz>=2023.3
python-dateutil>=2.8.2
Confidence
93% confidence
Finding
google-api-python-client>=2.100.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
google-auth-oauthlib>=1.1.0
google-auth-httplib2>=0.1.1
google-api-python-client>=2.100.0
pytz>=2023.3
python-dateutil>=2.8.2
Confidence
89% confidence
Finding
pytz>=2023.3

Unpinned Dependencies

Low
Category
Supply Chain
Content
google-auth-httplib2>=0.1.1
google-api-python-client>=2.100.0
pytz>=2023.3
python-dateutil>=2.8.2
Confidence
89% confidence
Finding
python-dateutil>=2.8.2

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.