Caldav Calendar 1.0.1

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward calendar-sync helper whose calendar access, local cache use, and setup steps match its stated purpose.

Install this only if you want the agent to help manage the calendars you configure. Use provider app passwords or limited-scope credentials where possible, protect the local password file, review create/edit/delete actions before syncing, and treat the khal cache deletion command as a troubleshooting step for stale local data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The skill documents a destructive command that deletes khal's local cache database without an explicit warning about what is being removed or that it should be used only for cache rebuild scenarios. While this likely does not delete remote calendar data, it can cause local data loss/confusion, force reindexing, and trains an agent to execute a filesystem-destructive command based on a troubleshooting prompt.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal