Back to skill

Security audit

Opys Calendar Skill

Security checks across malware telemetry and agentic risk

Overview

The skill matches its calendar-sync purpose, but it ships real-looking personal calendar data and exposes broad unauthenticated local mutation APIs, so it needs review before installation.

Install only after reviewing and cleaning the bundled calendar/state files. Treat calendar.md as private data, do not connect a Google account unless you trust the local server, and prefer running it bound to localhost with restricted CORS/authentication before allowing browser or agent access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises access to environment variables and networked Google Calendar sync, but does not declare any explicit permissions or trust boundaries. This creates a real security gap because a caller or platform may not realize the skill can access OAuth secrets and perform external sync operations, increasing the chance of over-privileged execution and accidental secret exposure.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The server exposes a generic read/write settings API backed by a local dotfile with no authentication or authorization checks. Any website can issue credentialed cross-origin requests because CORS is enabled with credentials and there is no CSRF protection, allowing unauthorized modification or retrieval of local application settings from a victim's browser.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly promotes agent-readable and agent-writable calendar files plus optional two-way Google Calendar sync, but it does not warn users that sensitive schedule data may be exposed to local or remote agents, logged, or propagated to third-party services. In an agent-focused tool, this omission increases the chance that users enable broad automation over highly sensitive personal or business scheduling data without understanding the privacy and integrity risks.

Missing User Warnings

High
Confidence
99% confidence
Finding
This markdown calendar contains highly sensitive personal data, including a private email address, detailed daily routines, school schedule, family errands, birthday recurrence, and physical location information. Because the skill is a local markdown-backed calendar with optional Google Calendar sync, this file is clearly intended to be processed and potentially exposed by tooling, making inadvertent disclosure, profiling, stalking, and social-engineering risks substantially more serious.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
OAuth access tokens, refresh tokens, and user session data are persisted in plaintext to .calendar-sessions.json. On a local skill this creates long-lived credential exposure to any local user, process, backup system, or malware that can read the working directory, and compromise can extend to the user's Google Calendar account.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The import endpoint replaces the entire calendar markdown file with attacker-supplied content and has no authentication or CSRF protection. Because the app uses cookie sessions and permissive credentialed CORS, a malicious site could trigger destructive file overwrite requests from a victim's browser against the local service.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The event create, update, and delete routes directly modify persistent local calendar data without any authentication, authorization, or CSRF defenses. In this local-service context, any website reachable by the victim's browser can abuse the API to tamper with or erase calendar entries if the service is exposed on localhost.

Missing User Warnings

High
Confidence
96% confidence
Finding
The Google sync endpoint can perform destructive bidirectional synchronization, including local deletions and remote Google Calendar updates/deletions, and it is callable using only the ambient session cookie. In combination with permissive credentialed CORS and no CSRF protection, a malicious site could induce unauthorized sync actions that alter or delete both local and Google-hosted calendar data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal, suspicious.potential_exfiltration

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
server/index.ts:18

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
server/index.ts:418

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
server/index.ts:110