ClawHub

Windows 日历同步

Security checks across malware telemetry and agentic risk

Overview

This skill does calendar syncing as advertised, but it deserves review because it stores long-lived Microsoft calendar credentials locally and can read, create, and delete calendar events.

Install only if you are comfortable granting Microsoft calendar read/write access. Verify the tenant/client ID setup, protect or delete token_store.json when not needed, and require confirmation before deletes or recurring events.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to run local Python scripts, persist OAuth tokens to disk, and access Microsoft Graph over the network, yet it declares no permissions. This creates a transparency and policy-enforcement gap: users and any permission framework are not clearly informed that the skill can read/write local files and modify a cloud calendar account.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill metadata describes reminder syncing, but this script also supports listing, searching, and deleting calendar events, which expands its authority over a user's Outlook calendar beyond the narrowly stated purpose. In an agent setting, capability mismatch is dangerous because users or higher-level orchestrators may grant consent assuming write-only reminder creation, while the tool can also enumerate existing events and remove them.

Description-Behavior Mismatch

Low
Confidence
96% confidence
Finding
The add subcommand accepts a --delete option that triggers event deletion, creating a hidden destructive path inside a non-destructive command. This increases the risk of accidental or manipulated deletion because callers invoking 'add' may not realize they are exposing a delete capability, especially in agent workflows that map commands by name.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases include broad everyday terms such as '日程', 'calendar', and '日历', which can cause the skill to activate in contexts where the user did not intend calendar modification or account access. In this skill, accidental activation is more dangerous because the documented workflow includes reading events, creating reminders, deleting events, and initiating OAuth flows against the user's Outlook calendar.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The documentation states that time handling always uses Asia/Shanghai while also claiming Windows auto-detects local time zone, which is inconsistent and can lead to incorrect event times. For a calendar-writing skill, timezone mistakes can silently create or move reminders to the wrong hour or day, causing missed meetings or unintended scheduling actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script stores access and refresh tokens in token_store.json on disk without any evident file permission hardening, encryption, or explicit user warning. In the context of a calendar sync skill using Microsoft Graph with Calendars.ReadWrite and offline_access, theft of this file could let another local user or malware access and modify the user's Outlook calendar until the tokens expire or are revoked.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script stores access and refresh tokens in a plaintext JSON file under the skill directory, and the user-facing flow does not clearly warn that long-lived OAuth credentials will be persisted locally. Anyone or any process with local read access to that file can reuse the refresh token to obtain new access tokens and modify the user's Outlook calendar, making this a real credential-protection weakness.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal