macOS Calendar

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims by managing macOS Calendar events, with the main privacy caveat that event titles are saved in a local log.

Before installing, be comfortable granting an agent access to create events in your configured macOS calendars. Ask it to list calendars first and confirm the calendar, date, time, alarm, and recurrence before creating events. Avoid putting highly sensitive details in event titles if the local log may be exposed through backups or other local access.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Ssd 3

Medium

Confidence: 97% confidence
Finding: The skill explicitly logs calendar actions including user-provided event summaries, which can contain sensitive natural-language data such as medical appointments, legal matters, travel, or personal relationships. Persisting this information to logs creates a secondary disclosure surface through local file access, backups, log collection, or later unintended reuse.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal