Recipe Find Free Time

Security checks across malware telemetry and agentic risk

Overview

This is a small Google Calendar scheduling recipe whose sensitive actions are visible and aligned with finding and booking a meeting time.

Install only if you already trust the `gws` setup and `gws-calendar` skill. Before running the insert command, verify the Google account, calendar, attendees, title, start time, and end time, because it can create an event and potentially notify invitees.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill is described as finding free time, but the documented workflow goes further and includes creating a calendar event. That expands the operational scope from read-oriented availability checking to a write action that can modify calendars and affect attendees without an explicit confirmation step, increasing the chance of unintended actions.

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The example shows insertion of a calendar event affecting multiple attendees without any warning or explicit confirmation requirement. In a scheduling context, silent writes can create unwanted meetings, spam attendees, or alter calendars based on an incorrectly chosen slot.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal