Doro Email To Calendar

The skill exhibits a critical Remote Code Execution (RCE) vulnerability in `scripts/utils/event_tracking.py`. The `lookup_events` function, when performing validation, executes `delete_tracked_event.sh` using `subprocess.run(..., shell=True)`. The command string includes an `event_id` which is loaded from an internal JSON file (`events.json`). If an attacker could inject malicious content into the `event_id` field within `events.json`, this `shell=True` execution would lead to arbitrary command execution. While the skill's documentation (`SKILL.md`, `BOOT.md`) explicitly instructs the AI agent to use wrapper scripts and avoid direct CLI calls (a defense against prompt injection), this specific code flaw represents an unintentional but significant RCE risk.