ClawHub

Calendar Manager

Security checks across malware telemetry and agentic risk

Overview

This calendar skill is useful but needs review because it can read and change sensitive calendars and describes automatic reminder/email workflows without clear user approval boundaries.

Install only if you are comfortable giving an agent access to private calendar data and local calendar credentials. Require explicit confirmation before it creates, modifies, deletes, imports events from email, sends reminder emails, or sets up scheduled reminder jobs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The top-level description says the skill triggers when users ask to view schedules, add events, or remind upcoming events, but it does not clearly constrain when read-only versus state-changing actions are allowed. Broad activation language can cause an agent to invoke calendar access or reminder behavior in situations the user did not explicitly intend, increasing the risk of unauthorized reads or unintended actions.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The listed trigger scenarios include vague phrases such as asking what is scheduled today and also 'timed reminders' for upcoming events without clear invocation boundaries. This makes autonomous or repeated execution more likely, which can expose calendar contents or generate reminders without a fresh, user-initiated request.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The capability summary includes creating, modifying, deleting events, and setting reminders, but it does not warn users that calendar data may be changed or notifications may be sent. When a skill has write capabilities, missing user-facing warnings and confirmation requirements can lead to unintended calendar modifications and privacy-impacting actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Describing automatic creation of calendar events from email and sending meeting reminder emails introduces a cross-tool automation path that can act on potentially untrusted email content. Without explicit warning, validation, and confirmation, malformed or malicious email invitations could cause unintended event creation, data leakage, or outbound communications the user did not approve.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal