gcal-pro - Google Calendar

Security checks across malware telemetry and agentic risk

Overview

This is a real Google Calendar skill, but its live calendar write/delete operations rely too much on caller discipline instead of enforced confirmation.

Install only if you are comfortable granting Google Calendar access. Use read-only mode unless you need Pro writes, protect ~/.config/gcal-pro, avoid sharing or printing credential files, and require an explicit preview plus confirmation before any create, update, quick-add, or delete action. Enable cron or messaging briefs only for private destinations you trust.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Rogue AgentSelf-Modification, Session Persistence

Findings (22)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documents and appears to rely on sensitive capabilities including shell, network, file read/write, and environment access, yet it declares no explicit permissions or guardrails. In a calendar skill, those capabilities can expose OAuth credentials and tokens or enable unintended command execution, making the trust boundary unclear and increasing the chance of over-privileged execution.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The README encourages very broad natural-language usage for a skill that can create, edit, and delete calendar events. In an agent environment, vague trigger guidance can increase the chance of unintended invocation or accidental execution of destructive actions, especially when user requests are ambiguous.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The installation/usage guidance advertises commands like scheduling and deleting events without warning users that the skill can modify or remove calendar data. In practice, this can lead to users enabling or invoking the skill without understanding that it performs destructive operations on a personal calendar.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The OAuth setup instructs users to grant calendar.readonly and calendar.events access but does not explain the privacy and data access implications. Users may authorize broad access to sensitive schedule data and event metadata without informed consent, increasing privacy and account-risk exposure if the skill is misused or compromised.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README advertises create, update, and delete operations against a live Google Calendar without prominently warning users that these actions will modify real calendar data. In a conversational agent context, users may assume experimentation is safe, which raises the risk of accidental event creation, rescheduling, or deletion through misunderstood prompts or automation.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The setup instructions tell users to store OAuth credentials and tokens locally but do not include any privacy or file-permission guidance. While local token storage is common, omitting warnings increases the chance that users place sensitive credentials in insecure locations, back them up unintentionally, or expose them on shared systems.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The troubleshooting section instructs users to click through Google's 'unsafe' unverified-app warning without explaining the trust implications or validating that the OAuth client belongs to the expected developer. This normalizes bypassing a security safeguard and could condition users to approve potentially malicious OAuth apps that request calendar access.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger description is broad enough to activate on common scheduling conversation, which can cause the agent to invoke this skill in situations the user did not clearly intend. Because the skill supports read and Pro write actions against a real calendar, overbroad invocation increases the risk of privacy leakage or unintended calendar changes.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The usage section encourages natural-language activation patterns without clear scope boundaries or disambiguation rules. In practice, that can lead an agent to treat casual conversation as an operational command, especially where search or quick-add functions act on live calendar data.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill recommends sending daily agenda data to a messaging channel without warning that calendar contents may include sensitive personal, medical, travel, or business information. Forwarding that data to external messaging systems expands the exposure surface and may leak private schedule details to less secure destinations.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The guide tells users to print the first lines of `client_secret.json` to the terminal as a verification step. Even partial disclosure can expose OAuth client identifiers and related metadata in shell history, terminal scrollback, screen recordings, remote support sessions, or logs, creating unnecessary credential exposure risk.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The troubleshooting text instructs users to bypass Google's unverified-app warning by clicking through without explaining the trust implications. This normalizes ignoring security warnings and could train users to approve malicious or misconfigured OAuth apps that request sensitive calendar access.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The quick_add function performs a write to the user's Google Calendar immediately from natural-language input and does not present any confirmation gate before executing the API call. In a calendar-management skill, this is risky because ambiguous user phrasing, prompt injection from upstream orchestration, or mis-parsed commands can create unintended events and potentially send updates to others if the event is later modified or includes invitees.

Natural-Language Policy Violations

Medium

Confidence: 81% confidence
Finding: The module hard-codes the timezone to America/New_York for parsing, display, and event creation without deriving it from the user, calendar settings, or explicit configuration. In a scheduling skill, this can silently shift event times, free/busy calculations, and morning brief output, causing incorrect bookings or missed appointments.

Credential Access

High

Category: Privilege Escalation
Content: | Error | Cause | Solution | |-------|-------|----------| | "client_secret.json not found" | Setup incomplete | Complete Google Cloud setup | | "Token refresh failed" | Expired/revoked | Run `python scripts/gcal_auth.py auth --force` | | "requires Pro tier" | Free user attempting write | Prompt upgrade or explain limitation | | "Event not found" | Invalid event ID | Search for correct event first |
Confidence: 79% confidence
Finding: secret.json

Session Persistence

Medium

Category: Rogue Agent
Content: **First-time setup required:** 1. User must create Google Cloud project and OAuth credentials 2. Save `client_secret.json` to `~/.config/gcal-pro/` 3. Run authentication: ```bash
Confidence: 76% confidence
Finding: create Google Cloud project and OAuth credentials 2. Save `client_secret.json` to `~/.config

Unpinned Dependencies

Low

Category: Supply Chain
Content: # gcal-pro dependencies google-auth>=2.23.0 google-auth-oauthlib>=1.1.0 google-auth-httplib2>=0.1.1 google-api-python-client>=2.100.0
Confidence: 97% confidence
Finding: google-auth>=2.23.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # gcal-pro dependencies google-auth>=2.23.0 google-auth-oauthlib>=1.1.0 google-auth-httplib2>=0.1.1 google-api-python-client>=2.100.0 pytz>=2023.3
Confidence: 97% confidence
Finding: google-auth-oauthlib>=1.1.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # gcal-pro dependencies google-auth>=2.23.0 google-auth-oauthlib>=1.1.0 google-auth-httplib2>=0.1.1 google-api-python-client>=2.100.0 pytz>=2023.3 python-dateutil>=2.8.2
Confidence: 96% confidence
Finding: google-auth-httplib2>=0.1.1

Unpinned Dependencies

Low

Category: Supply Chain
Content: google-auth>=2.23.0 google-auth-oauthlib>=1.1.0 google-auth-httplib2>=0.1.1 google-api-python-client>=2.100.0 pytz>=2023.3 python-dateutil>=2.8.2
Confidence: 97% confidence
Finding: google-api-python-client>=2.100.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: google-auth-oauthlib>=1.1.0 google-auth-httplib2>=0.1.1 google-api-python-client>=2.100.0 pytz>=2023.3 python-dateutil>=2.8.2
Confidence: 95% confidence
Finding: pytz>=2023.3

Unpinned Dependencies

Low

Category: Supply Chain
Content: google-auth-httplib2>=0.1.1 google-api-python-client>=2.100.0 pytz>=2023.3 python-dateutil>=2.8.2
Confidence: 95% confidence
Finding: python-dateutil>=2.8.2

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal