Back to skill

Security audit

gcal-pro - Google Calendar

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Google Calendar integration, but it needs review because Pro commands can create, edit, or delete real calendar events without an enforced confirmation barrier.

Install only if you are comfortable granting Google Calendar access. For Pro write features, require the agent to show the exact event, time, calendar, and action before making changes, and be especially careful with delete requests. Do not proceed through Google's unverified-app warning unless you personally created and recognize the OAuth project, and keep client_secret.json and token.json private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs use of shell commands, local credential/token files, and OAuth/networked calendar operations, but it declares no permissions or trust boundaries. That mismatch can cause the agent platform or user to invoke a skill with broader capabilities than expected, increasing the risk of unintended file access, token exposure, or calendar modification.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The validation routine does not authenticate licenses at all: despite comments about checksum or future API verification, it returns true for any key matching the basic GCAL-XXXX-XXXX-XXXX shape. An attacker can self-generate a formatted key, activate Pro features, and the local license file then marks the tier as valid without any server-side proof or cryptographic signature.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation advertises a destructive action example, 'Delete my 3pm meeting', without any mention of confirmation, undo, or safety checks. In a calendar-management skill with edit/delete capability, this increases the risk that an agent or user issues an ambiguous command that results in unintended event deletion.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The description is broad enough that many ordinary scheduling requests could trigger this skill automatically, including requests where the user may not intend calendar access. In a skill that can read schedules and, in Pro mode, create/edit/delete events, overbroad invocation increases the chance of inappropriate tool use and privacy-impacting actions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Generic examples like 'Add X to my calendar' and 'Schedule Y' make write-capable invocation very permissive. In context, this skill supports creating and deleting events, so vague routing guidance could lead to accidental event creation or modification from ambiguous user requests.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The setup directs users to store OAuth client secrets and access tokens locally but does not prominently warn that these files are highly sensitive or recommend secure file permissions. If those files are exposed, an attacker may gain calendar access or reuse OAuth material depending on token scope and refresh-token availability.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide explicitly tells users to bypass Google's 'This app isn't verified' interstitial by clicking 'Advanced' and proceeding, without requiring them to verify the app identity, ownership, or expected redirect behavior first. Training users to ignore browser or provider trust warnings weakens phishing resistance and can normalize unsafe authorization flows, especially for an OAuth app that requests calendar access and may later store refresh tokens.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The quick_add function creates calendar events immediately from natural-language input without any built-in confirmation or preview step. In an agent context, ambiguous or maliciously crafted prompts can cause unintended event creation, invitations, or schedule manipulation, especially because the operation has side effects on the user's real calendar.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
location: Event location
        attendees: List of attendee emails
        calendar_id: Target calendar
        confirmed: Skip confirmation if True
        
    Returns:
        Created event or None
Confidence
91% confidence
Finding
Skip confirmation

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
description: New description (optional)
        location: New location (optional)
        calendar_id: Calendar ID
        confirmed: Skip confirmation if True
        
    Returns:
        Updated event or None
Confidence
90% confidence
Finding
Skip confirmation

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
Args:
        event_id: ID of event to delete
        calendar_id: Calendar ID
        confirmed: Skip confirmation if True
        
    Returns:
        True if deleted successfully
Confidence
95% confidence
Finding
Skip confirmation

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
])
    parser.add_argument("--query", "-q", help="Search query or event text")
    parser.add_argument("--id", help="Event ID for delete/update")
    parser.add_argument("--yes", "-y", action="store_true", help="Skip confirmation")
    
    args = parser.parse_args()
Confidence
86% confidence
Finding
Skip confirmation

Unpinned Dependencies

Low
Category
Supply Chain
Content
# gcal-pro dependencies
google-auth>=2.23.0
google-auth-oauthlib>=1.1.0
google-auth-httplib2>=0.1.1
google-api-python-client>=2.100.0
Confidence
95% confidence
Finding
google-auth>=2.23.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# gcal-pro dependencies
google-auth>=2.23.0
google-auth-oauthlib>=1.1.0
google-auth-httplib2>=0.1.1
google-api-python-client>=2.100.0
pytz>=2023.3
Confidence
95% confidence
Finding
google-auth-oauthlib>=1.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# gcal-pro dependencies
google-auth>=2.23.0
google-auth-oauthlib>=1.1.0
google-auth-httplib2>=0.1.1
google-api-python-client>=2.100.0
pytz>=2023.3
python-dateutil>=2.8.2
Confidence
94% confidence
Finding
google-auth-httplib2>=0.1.1

Unpinned Dependencies

Low
Category
Supply Chain
Content
google-auth>=2.23.0
google-auth-oauthlib>=1.1.0
google-auth-httplib2>=0.1.1
google-api-python-client>=2.100.0
pytz>=2023.3
python-dateutil>=2.8.2
Confidence
95% confidence
Finding
google-api-python-client>=2.100.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
google-auth-oauthlib>=1.1.0
google-auth-httplib2>=0.1.1
google-api-python-client>=2.100.0
pytz>=2023.3
python-dateutil>=2.8.2
Confidence
90% confidence
Finding
pytz>=2023.3

Unpinned Dependencies

Low
Category
Supply Chain
Content
google-auth-httplib2>=0.1.1
google-api-python-client>=2.100.0
pytz>=2023.3
python-dateutil>=2.8.2
Confidence
90% confidence
Finding
python-dateutil>=2.8.2

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.