Back to skill

Security audit

workday-calendar

Security checks across malware telemetry and agentic risk

Overview

The skill is a real local calendar tool, but it includes an unauthenticated LAN-reachable web server and executable backup files that are broader than users may expect.

Review before installing. Use the skill only if you are comfortable with it storing schedule data locally, creating executable Windows backup files, and running a configuration web server. If you use the web UI, bind it to localhost only or firewall the port, and do not run generated .bat backups unless you trust and inspect them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no effective permissions despite documented behavior that reads and writes local files and performs mandatory network lookups. This creates a trust and consent gap: a host or reviewer may authorize the skill under the assumption of low privilege while it actually accesses external data and modifies local state.

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The declared purpose understates materially important behaviors such as running a local web server, exporting HTML, automation/scheduled tasks, import/export/sync, and generating restorable backup scripts. Description-behavior mismatch is dangerous because reviewers and users may approve a seemingly simple calendar skill without realizing it exposes additional attack surface and persistence or execution-adjacent functionality.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documentation claims the skill only manages local data, yet later requires mandatory online querying of government holiday notices. This inconsistency is dangerous because it can cause silent network access in contexts where users or policy engines believe the skill is offline-only.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The guide documents automatic creation of executable Windows .bat files for backups and instructs users to restore by double-clicking or invoking them via cmd. For a calendar/schedule skill, generating executable scripts is unnecessary and expands the attack surface: if backup contents or file paths are influenced by data, users may execute attacker-controlled commands under their own account.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The permission document contains contradictory claims: one section reports silent network access via urllib, while a later section asserts there is no network access and only local JSON reads/writes. This inconsistency can mislead reviewers and users about the actual security posture, especially because the claimed network access is marked as silent, reducing transparency and informed consent.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill generates executable Windows .bat backup files that embed the full schedule dataset in base64 and can restore it via certutil and move. Even if intended as disaster recovery, storing sensitive calendar data inside executable scripts expands the attack surface: the files are easy to copy, run, or socially engineer users into executing, and they expose private schedule contents to anyone with filesystem access.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Overly broad trigger phrases increase the chance that the skill is invoked for ordinary language unrelated to calendar administration. Unintended invocation matters here because the skill can write files and may trigger network lookups, causing unnecessary data access or state changes from ambiguous prompts.

Vague Triggers

Medium
Confidence
79% confidence
Finding
Standalone keywords without scope constraints can cause accidental activation by unrelated user requests. In a skill with local file operations, exports, and online lookup requirements, ambiguity increases the risk of the wrong tool being selected and acting on local data unexpectedly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow mandates online lookup for missing holiday data but does not require a user-facing warning or consent step before network access. This is risky because users may expect a local calendar tool, yet it can automatically transmit query context externally and ingest untrusted remote data into local rule files.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list contains very generic terms such as '日程', '安排', and '空闲时间' that are common in normal conversation and can cause the skill to activate when the user did not explicitly intend to use this calendar skill. Unintended activation can route unrelated user requests into the skill, causing incorrect handling of requests, privacy over-collection of scheduling context, or interference with other more appropriate skills.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The examples normalize destructive calendar operations by showing delete and update actions without any confirmation, identity check, or preview of the affected event. In a scheduling skill that manages personal or organizational calendars, this can lead to accidental or unauthorized modification of important events if an agent applies the pattern directly from the documentation.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The backup/restore instructions tell users to execute generated .bat files without any warning that these are executable scripts, that they may overwrite prior backups, or that running them carries command-execution risk. This unsafe guidance can normalize blind execution and increase the likelihood of accidental damage or exploitation if the backup files are modified or malformed.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document states that multiple local data files are written silently, including holiday settings and personal schedule data, without explicitly warning users that invoking the skill may modify persisted state. Silent writes are not inherently malicious, but they create a transparency and integrity risk because users may not realize their data or configuration can be changed automatically.

Direct Prompt Extraction

High
Category
System Prompt Leakage
Content
"""获取某天的排班时段(复制周一规则到二~五)"""
    rules = load_scheduling_rules()
    if weekday in rules and rules[weekday] is not None:
        return rules[weekday]
    if rules.get(0) and weekday in (1,2,3,4):
        return rules[0]
    # fallback
Confidence
85% confidence
Finding
return rules

Direct Prompt Extraction

High
Category
System Prompt Leakage
Content
if weekday in rules and rules[weekday] is not None:
        return rules[weekday]
    if rules.get(0) and weekday in (1,2,3,4):
        return rules[0]
    # fallback
    defs = DEFAULT_SCHEDULING.get(weekday, [])
    return defs if defs is not None else DEFAULT_SCHEDULING.get(0, [])
Confidence
85% confidence
Finding
return rules

Direct Prompt Extraction

High
Category
System Prompt Leakage
Content
}
    rules.append(rule)
    save_auto_configs(rules)
    return rule, f"自动化规则已添加: {name}"


def delete_auto_rule(rule_id: str) -> str:
Confidence
85% confidence
Finding
return rule

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.