Back to skill

Security audit

Email To Calendar

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly purpose-aligned, but it can automatically change Gmail state and persistent workspace behavior, so users should review it before installing.

Install only if you are comfortable giving the skill Gmail and Calendar authority. Before first use, review the setup defaults and consider disabling mark_read, archive, and auto_dispose_calendar_replies; inspect any proposed HEARTBEAT.md changes; and remember that local logs may contain email subjects, event titles, message IDs, and calendar metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
else:
                            print(f"Orphaned event detected: {event_id} - removing from tracking", file=sys.stderr)
                            if script_dir:
                                subprocess.run(
                                    [f"{script_dir}/delete_tracked_event.sh", "--event-id", event_id],
                                    capture_output=True
                                )
Confidence
88% confidence
Finding
subprocess.run( [f"{script_dir}/delete_tracked_event.sh", "--event-id", event_id], capture_outpu

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill explicitly instructs the agent to read Gmail, write local state, and execute shell wrapper scripts, but the metadata declares no permissions. This creates a trust and authorization gap: a host may present the skill as less privileged than it actually is, and users or enforcement layers may not realize it can access mail, modify calendar state, send email, and write persistent local files.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The bootstrap directs the agent to inspect and potentially modify a global `~/.openclaw/workspace/HEARTBEAT.md` file, which is outside the narrow email-to-calendar task boundary. This creates an overreach risk: installing or activating the skill can silently persist behavior into a broader workspace control file, affecting future agent actions beyond the user's immediate request.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instruction to add sections to `HEARTBEAT.md` lacks an explicit warning that the skill is altering a user workspace file and establishing persistent automation behavior. That makes the modification non-transparent and can lead to unauthorized changes in agent operating policy or future execution flows.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Defaulting to marking emails as read and archiving them changes the user's mailbox state automatically, which can hide messages, disrupt workflows, or cause loss of visibility if extraction is wrong. Because this is described as a default behavior without a prominent safety warning or explicit opt-in, it increases the chance of unintended state changes to sensitive user data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The setup guide encourages accepting defaults that will modify inbox state by marking messages read, archiving them, and enabling automatic handling of calendar reply emails, but it does not present these as high-impact actions requiring explicit acknowledgment. In a skill that reads and mutates Gmail state, silent or lightly disclosed defaults can cause users to lose visibility into messages, miss replies, or unintentionally alter records of email activity.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide presents auto-processing of calendar reply emails as part of the default email-handling flow without a clear warning about its consequences. Because reply processing can automatically act on accept/decline/tentative emails and dispose of them, users may not realize the skill is making decisions that affect both inbox state and calendar workflow.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document instructs the agent to delete calendar events when cancellation language is detected, but it does not require an explicit user confirmation at the point of deletion. In this skill context, that is meaningful because email text is untrusted and cancellations can be ambiguous, spoofed, or extracted incorrectly, creating a realistic path to unintended destructive actions on the user's calendar.

Natural-Language Policy Violations

Low
Confidence
79% confidence
Finding
The file hardcodes use of the user's local timezone for interpreting email times without opt-in or validation against timezone information in the message. In an email-to-calendar skill, this can cause silent scheduling errors, especially for forwarded emails, travel, remote meetings, or messages that explicitly mention another timezone.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script explicitly implements a "silent audit trail" and logs email-processing activity to a persistent local file without any runtime disclosure, consent prompt, or obvious user-facing notice. In the context of a skill that processes Gmail content and calendar actions, even metadata such as email IDs, subjects, titles, reasons, and actions can reveal sensitive personal or business information, creating a privacy and compliance risk if the local machine or workspace is shared or compromised.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script automatically dispositions unread emails from calendar-notification@google.com without any per-action user confirmation. In this skill's context, modifying mailbox state is security-relevant because a misclassification, unexpected provider behavior, or spoofed/misrouted message could cause important notification emails to be archived or otherwise altered without the user noticing.

Unvalidated Output Injection

High
Category
Output Handling
Content
else:
                            print(f"Orphaned event detected: {event_id} - removing from tracking", file=sys.stderr)
                            if script_dir:
                                subprocess.run(
                                    [f"{script_dir}/delete_tracked_event.sh", "--event-id", event_id],
                                    capture_output=True
                                )
Confidence
92% confidence
Finding
subprocess.run( [f"{script_dir}/delete_tracked_event.sh", "--event-id", event_id], capture_output

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.