Calctl

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward calendar command-line skill, with expected access to calendar events and attendee data when the user chooses those commands.

Install only if you trust the referenced calctl package source. Grant Calendar permission knowingly, confirm add/edit/delete actions before running them, and avoid using --attendees unless you need attendee names, email addresses, and response statuses in the output.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly advertises a flag that reveals attendee names, email addresses, and participation status, but provides no warning that this is privacy-sensitive personal data. In an agent context, this increases the risk that a user or downstream automation invokes the command and exposes calendar participant information in terminal logs, chat transcripts, JSON output, or other secondary storage without informed consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal