Jetlag Planner

Security checks across malware telemetry and agentic risk

Overview

The skill does what it says, but it needs careful review because it asks for durable Google Calendar access and includes unsafe credential-sharing setup guidance.

Install only if you are comfortable granting read/write access to your Google Calendar and storing an OAuth token locally. Do not ask another bot to reveal its client secret; create dedicated Google OAuth credentials instead, protect the .env and .oauth-token.json files, and review your calendar after each run because the skill may add many events automatically.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 82% confidence
Finding: The skill invokes local code that depends on environment-based secrets and OAuth state, but it declares no permissions or user-facing warning about accessing sensitive local resources. This creates a transparency and consent problem: users may trigger a skill that reads credential-related files and interacts with external account data without understanding the scope.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The stated purpose understates the actual behavior: the skill not only checks for flights but also performs OAuth setup flows, reads sizable calendar data, and writes multiple events back to the user's calendar. When behavior exceeds the description, users cannot give informed consent and may unintentionally authorize broader access and persistent modifications.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The README explicitly tells users to ask another bot for its stored Google OAuth client ID and secret and reuse them for this skill. Encouraging extraction of credentials from an existing agent's config normalizes credential exfiltration and bypasses separation of duties between skills, increasing the chance those secrets are exposed to unintended tools or logs.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The README instructs users to perform a one-time OAuth flow and then keep a local token so the bot can continue operating autonomously. Persisting reusable OAuth tokens for unattended access expands the access window and can enable calendar reading/modification beyond the immediate user-invoked session if the host or skill environment is compromised.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The README advertises automatic scanning of the user's Google Calendar and writing 14+ new events without any prominent privacy or data-handling warning. For a skill that reads potentially sensitive travel data and modifies a primary calendar, lack of explicit notice and consent framing can cause users to grant broad access without understanding the implications.

Missing User Warnings

High

Confidence: 97% confidence
Finding: Telling users to ask another bot for a Google Client ID and Secret omits any warning that these are sensitive credentials and should not be revealed in conversation. In an agent ecosystem, this is especially dangerous because chat-mediated secret retrieval can leak into transcripts, logs, or other skills and trains users to disclose secrets casually.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The trigger phrases are broad enough to match ordinary travel-related conversation, increasing the chance of accidental activation. Because activation leads to reading calendar data and potentially writing events, unintended invocation can cause privacy exposure and unwanted calendar changes.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The description omits a critical warning that the skill will access Google Calendar contents and write new events, which are privacy-sensitive and state-changing operations. Users may reasonably interpret the skill as informational planning rather than granting it permission to inspect and modify personal calendar data.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill writes multiple events directly into the user's primary Google Calendar after detecting possible flight events, without presenting a preview, requiring explicit confirmation, or offering a dry-run mode. In this context, the app has broad calendar write access and can create many reminder events automatically, so a parsing mistake or unexpected event match can lead to unwanted modifications and calendar spam.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The manifest explicitly states that the skill scans Google Calendar and writes plans back to the user's calendar, but it does not disclose this modification risk in a warning-oriented way or indicate any confirmation/safety boundary. In a calendar-integrated skill, silent write behavior can lead to unexpected data changes, user confusion, and privacy-sensitive automation without adequately informed consent.

Ssd 3

High

Confidence: 99% confidence
Finding: The README directly instructs users to have an existing bot reveal stored OAuth credentials from its configuration. That is a textbook secret-disclosure anti-pattern: it weakens trust boundaries between agent components and creates a practical path for credential harvesting unrelated to the bot's original purpose.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal