Scheduly

Security checks across malware telemetry and agentic risk

Overview

This scheduling skill looks generally legitimate, but it exposes powerful booking, calendar, renewal, and account actions without clearly documented guardrails.

Install only if you trust ToolWeb/Scheduly and are comfortable giving an agent access to booking and Google Calendar workflows. Before connecting Google Calendar or using renewals, verify the OAuth scopes, token retention, ownership checks for user_id and object IDs, public booking-page visibility, and any 500-coin charges. Require explicit confirmation before delete, cancel, disconnect, renewal, auto-renewal, or scheduler actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The WordPress profile sync endpoint is outside the core scheduling scope and introduces an additional integration boundary that can pull profile data from another system using only a user identifier. This broadens the attack surface and creates potential for unintended data access, account linkage abuse, or confusion about what external data is being fetched and stored.

Context-Inappropriate Capability

Low

Confidence: 69% confidence
Finding: The scheduler/process-expirations endpoint performs backend operational actions such as renewals and notifications, which exceeds normal end-user scheduling actions and could trigger bulk state changes if exposed through the skill. In an agent context, such maintenance endpoints are risky because they can be invoked out of band and may affect many users at once.

Description-Behavior Mismatch

Medium

Confidence: 78% confidence
Finding: A scheduler endpoint that processes expirations, auto-renewals, and sends notifications represents autonomous account-changing behavior that is not disclosed in the skill metadata. In an agent setting, hidden background actions increase the risk of unexpected renewals, state changes, or outbound messaging beyond what a user reasonably expects from a scheduling tool.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill documents Google OAuth and returned profile/calendar access but does not clearly warn that user data is transmitted to Google and that Google-derived profile/calendar data is received and processed. In a scheduling context this matters because calendar metadata and profile information are sensitive and can expose personal routines and contacts.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The documentation exposes destructive operations such as disconnecting Google and deleting objects without warning about irreversible effects or the need for confirmation. In agent-driven use, unclear destructive actions increase the chance of accidental loss of scheduling data, cancellations, or broken integrations.

Missing User Warnings

Low

Confidence: 78% confidence
Finding: The public booking page endpoint intentionally exposes scheduling information without authentication, but the documentation does not warn that availability and event details become publicly accessible. This can leak working patterns, open slots, and user identifiers, which may facilitate profiling or targeted social engineering.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: Endpoints that disconnect Google or create coin-costing event types are destructive or financially impactful, yet the API description provides no confirmation, warning, or consent semantics. In agent-driven workflows, this can cause accidental account disconnection or unintended spending when the model invokes tools based on sparse descriptions.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: Delete and cancel operations can irreversibly remove event types or bookings, but the specification does not communicate the user impact or any safety checks. In an agent context, insufficiently labeled destructive operations materially increase the chance of harmful accidental execution.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: Auto-renewal toggles and expiration-processing behavior can autonomously change account state and trigger notifications, but the spec lacks prominent warning or consent language. For an agent-integrated skill, this is dangerous because the tool may initiate persistent account behavior changes without the user understanding ongoing consequences.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal