Google Calendar

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Google Calendar integration that uses Membrane for OAuth-backed calendar actions, including event changes, with no hidden code or deceptive behavior found.

Install only if you trust Membrane and the npm CLI package, review the Google OAuth permissions carefully, use the intended Google account, and require explicit confirmation before creating, updating, deleting, or sending raw proxy requests for calendar data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill documents destructive actions such as deleting and updating calendar events but provides no guidance to obtain explicit user confirmation before executing them. In an agentic context, this increases the chance of unintended destructive operations against a user's calendar data, especially when the skill is used from natural-language requests or ambiguous prompts.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal