Recipe Reschedule Meeting

Security checks across malware telemetry and agentic risk

Overview

This is a small Google Calendar rescheduling recipe whose attendee notifications are disclosed and aligned with its purpose, though users should review the event before running it.

Before installing or using it, make sure gws is authenticated to the intended Google account, verify the calendar, event ID, attendee list, new start/end time, and timezone, and only run the patch when you intend all attendees to receive the update.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly performs a calendar event patch with `sendUpdates: "all"`, which causes attendee notifications to be sent automatically, but it does not include a clear user-facing warning or confirmation step before triggering those messages. In a scheduling context, this can cause unintended external communication, user confusion, or accidental disruption if the wrong event or time is selected.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal