Claw Calendar Skill

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Claw Calendar helper that uses a user-provided API key to list and create calendars and events.

Install only if you trust Claw Calendar with the calendar data you connect. Keep the API key private, verify the API URL before use, and review commands that create calendars, events, reminders, or print subscription links.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The invocation guidance says to use the skill whenever a user needs to manage calendars, create events, set reminders, or subscribe to calendars, which is broad and lacks tighter guardrails such as requiring explicit user intent to perform external side effects. In a skill that can create remote calendars and events via API, vague triggers can cause over-invocation and unintended writes to the user's calendar service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal