Security audit

Apple Calendar Ops

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but it needs review because it can use stored Apple credentials to modify or delete calendar data and does not strictly constrain update/delete targets to known calendars.

Install only if you trust the agent with Apple Calendar credentials and real calendar write/delete authority. Prefer a dedicated app-specific password, verify baseUrl/calendarUrls/timezone, use dry-run before writes, and only pass event IDs returned by this skill's fetch output until target URL allowlisting is enforced.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill documents file and network-capable operations, including reading secrets from a local file and interacting with Apple Calendar over CalDAV, but it does not declare those permissions explicitly. This creates a transparency and governance gap: users and policy engines may not realize the skill can access local sensitive files and perform network actions, increasing the risk of overprivileged or unexpected behavior.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The description says the skill can create, update, and delete Apple Calendar events, but it does not prominently warn users that it can modify or permanently remove calendar data. Without an explicit user-facing warning, an orchestrator or end user may invoke the skill without appreciating the risk of destructive actions, leading to unintended data loss or unauthorized changes.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs operators to source credentials from a secrets file, but it does not include a user-facing warning that sensitive authentication material will be accessed. This omission can mislead users about the sensitivity of the operation and raises the chance of secrets exposure through logs, misconfiguration, or unintended broader file access.

Missing User Warnings

High

Confidence: 78% confidence
Finding: This helper exposes a direct destructive DELETE operation against remote calendar resources with no built-in confirmation, policy check, or safety guard. In an agent setting, that increases the risk of accidental or prompt-induced deletion of calendar data, especially because this module is explicitly designed to act on behalf of a user with stored credentials.

Credential Access

High

Category: Privilege Escalation
Content: - updates/deletes should prefer explicit event ids - fuzzy title matching may help locate events, but should not be the only basis for risky writes Credentials should come from `/home/agent/.openclaw/workspace/secrets.json`. Read `references/boundary.md` before changing the skill's scope. Read `references/event-contract.md` before writing or consuming event JSON.
Confidence: 88% confidence
Finding: secrets.json

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.