Back to skill

Security audit

Recipe Schedule Recurring Event

Security checks across malware telemetry and agentic risk

Overview

This is a transparent Google Calendar recipe, but users should edit and confirm the recurring event details before running it.

Before installing or using this recipe, confirm gws is authenticated to the intended Google account and replace the sample calendar, time, recurrence rule, timezone, and attendee email. Running the command as written would create a recurring event on the primary calendar and may invite the listed attendee.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill performs an external side effect by creating a recurring calendar event and sending attendee invitations, but it does not prominently warn the user about those actions. In an agent context, missing disclosure increases the risk of unintended repeated scheduling, accidental invitations, and user confusion because the command can create ongoing events rather than a one-time calendar entry.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.