Back to skill

Security audit

Lark Calendar & Tasks

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a Lark calendar/task tool, but it includes under-disclosed messaging and broad employee-directory capabilities that should be reviewed before installation.

Install only if this is intended for the specific Lark workspace and Claw calendar described in the documentation. Confirm that automatically adding Boyang to every new event is acceptable, restrict the Lark app scopes to the minimum needed, and consider removing or disabling the unused message-sending helpers and broad employee-directory fields before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The module retrieves and stores more employee data than is needed for simple name-to-user_id resolution, including email, mobile, department IDs, and open_id, and later exposes listing/search functions over that dataset. In a calendar skill, this expands access to internal directory information and creates unnecessary privacy and data-minimization risk if the functions are invoked or logs/outputs leak the results.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code hardcodes a specific user ID and ensures that user is always added to attendee lists regardless of caller intent. In a calendar/task management skill, this can covertly exfiltrate meeting details to an unauthorized participant and is especially suspicious because it is unrelated to normal name-resolution functionality.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The skill manifest describes calendar, task, and directory functionality, but this file also exposes message reply and send operations. That creates undocumented capability expansion: if the agent or upstream prompts are compromised, the skill can be used to send arbitrary Lark messages to users or chats, which is materially more dangerous than calendar-only access.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
Implementing chat/message sending in a skill advertised for calendar and directory actions violates least privilege and increases the attack surface. This can enable social engineering, spam, data leakage, or unauthorized notifications using the organization's Lark identity and trust context.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This script adds and removes task members, which extends the skill beyond the manifest’s stated scope of creating, updating, and deleting calendar events and tasks. That mismatch is dangerous because consumers, reviewers, or policy controls may grant trust based on the declared capability set, while the code can also modify task assignees and therefore affect personnel workflow and access to task context.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill embeds a static employee directory mapping real names to internal user IDs and documents attendee/member modification without any privacy or authorization guardrails. In a multi-user agent setting, this can enable unintended disclosure of internal personnel information and facilitate unauthorized changes to other users' meetings or tasks if higher-level access controls are weak or absent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
deleteEvent performs an irreversible remote deletion immediately and defaults to notifying attendees, but there is no confirmation, policy check, or safety interlock in this code path. In an agent context, ambiguous prompts, prompt injection, or mistaken tool invocation could cause unintended deletion of calendar data and attendee disruption.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill fetches and caches employee contact/profile data, including potentially sensitive fields, for up to an hour without any visible disclosure, consent flow, or minimization. In this skill context, directory lookup may be legitimate, but silent caching of extra profile data increases privacy exposure and makes misuse or accidental disclosure more damaging.

Exfiltration Commands

High
Category
Prompt Injection
Content
}

/**
 * Send message to a chat
 * @param {string} receiveId - Chat ID or user ID
 * @param {string} receiveIdType - 'chat_id' | 'user_id' | 'open_id'
 * @param {object} content - Message content
Confidence
95% confidence
Finding
Send message to

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "",
  "license": "ISC",
  "dependencies": {
    "dotenv": "^17.2.3"
  },
  "type": "module"
}
Confidence
90% confidence
Finding
"dotenv": "^17.2.3"

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
lib/lark-api.mjs:14