Recipe Batch Invite To Event

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Google Calendar recipe for adding attendees to an event and sending invite notifications.

Before using it, verify the active Google account, target calendar event ID, and every attendee email. Running the patch step modifies the event and can send calendar notification emails to the added attendees.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs users to patch a Google Calendar event with `sendUpdates: "all"` but does not warn that this action will send notification emails to attendees. In a batch-invite recipe, this can cause unintended external communication, spam, or disclosure that an event exists and who is being added, especially if the event ID or attendee list is wrong.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal