Back to skill

Security audit

Luma Event Manager

Security checks across malware telemetry and agentic risk

Overview

This skill handles sensitive Luma cookies and can change RSVP/calendar data, but the behavior is disclosed and fits its event-management purpose.

Install only if you are comfortable storing Luma session cookies in pass for this skill to read. Treat those cookies like passwords, avoid using guest-list features unless you are authorized, and use RSVP or calendar-sync commands only when you intend to change your Luma or Google account data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The file header says the module provides RSVP support via scraping, but the implementation also performs authenticated, state-changing POST requests that submit RSVPs using user cookies and optional CSRF tokens. This understatement can mislead reviewers, users, or higher-level tooling about the true capability of the skill, reducing scrutiny around account-affecting actions.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The implementation spawns an external `pass` process to retrieve cookies, which materially changes the trust boundary compared with a passive in-process cookie loader. Even though the command string is static, invoking a subprocess inherits risks from PATH hijacking, shell execution behavior, and secret exposure through local process/environment interactions.

Context-Inappropriate Capability

High
Confidence
89% confidence
Finding
This file is presented as a web scraper, but it also executes a local command to fetch stored authentication material, expanding its capabilities beyond scraping into credential access. That hidden privilege escalation is security-relevant because any consumer of the skill may unknowingly grant the code access to local secrets and authenticated account data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The design explicitly instructs users to export live browser cookies and store them for authenticated scraping, but it does not warn about the security, privacy, and account-takeover implications of handling session cookies. Session cookies are effectively bearer tokens; if exposed through logs, backups, the password store, or the skill itself, an attacker could access private Luma data or act as the user.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises RSVP submission and Google Calendar synchronization, both of which can change external account state, but the document does not clearly warn users that these are write actions affecting third-party services and personal data. In an agent setting, missing disclosure and confirmation boundaries increases the risk of unintended modifications, privacy exposure, or user confusion about what the skill is authorized to do.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly documents authenticated access to RSVP data, hosted events, and guest lists using manually copied session cookies, but it does not warn users that these cookies are highly sensitive account credentials or that guest lists may contain personal data. In the context of a skill that relies on browser-session scraping rather than scoped API tokens, insufficient warning materially increases the chance of credential mishandling, privacy violations, or unauthorized account access if the stored cookies are exposed.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The README advertises Google Calendar sync via the gog CLI without clearly informing users that event details will be transmitted to a Google account and potentially stored in a third-party service. While expected functionality, the lack of an explicit disclosure can mislead users about data flow and create avoidable privacy risk, especially for private or invite-only events.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The example phrases include generic natural-language requests like 'Events near me this weekend' and 'What's the AI meetup about?' that do not follow the documented 'luma ...' trigger prefix. In agent systems that infer invocation from example utterances, this can cause the skill to activate on broad, ambiguous requests and gain access to event-search or authenticated functionality unexpectedly, expanding the skill's operational scope beyond what users may realize.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to manually extract live session cookies ('luma_session', 'luma_user_id') from the browser and store them for later use, but it does not clearly warn that these are highly sensitive authentication artifacts equivalent to account access. If mishandled, logged, exposed to other tools, or stored insecurely, these cookies could let an attacker access private events, RSVP state, hosted-event data, and guest lists as the user.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Several tool descriptions are broad and do not clearly constrain when the agent should invoke them, increasing the chance of overbroad or unintended tool use. In a skill that can search events, access hosted-event data, RSVP, and modify calendars, ambiguous invocation guidance can lead to privacy-impacting reads or external side effects without sufficiently clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manifest exposes a guest-list access capability for hosted events but does not warn that it reveals potentially sensitive attendee information. Without a user-facing warning or stricter usage constraints, an agent could disclose or retrieve guest data in situations where the user did not fully understand the privacy implications.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The calendar tool performs an external state-changing action by adding an event to Google Calendar, but the manifest does not clearly warn users that it modifies external user data. This creates a risk of accidental or implicit calendar changes if the agent interprets a general scheduling query as authorization to act.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
This function performs a real external side effect by adding an event to the user's Google Calendar, but this file contains no built-in confirmation gate, dry-run mode, or explicit warning before the account modification occurs. In an agent context, ambiguous prompts or prompt-injected tool chains could trigger unintended calendar changes, making this more dangerous than a normal local helper because it acts on a linked third-party account.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This handler changes the user's RSVP status on Luma using stored authentication cookies without an explicit confirmation step in the file. In an agent-integrated environment, that is risky because a malicious event description, indirect instruction, or misunderstood user request could cause unintended attendance state changes on behalf of the user.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This request attaches raw authentication cookies to an external request to lu.ma without any evidence in this file of a clear warning, scoped consent, or minimization. Handling session cookies in skill code is sensitive because they authenticate the user and can be misused for unintended account actions if the behavior is not transparent and tightly controlled.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code performs authenticated POST requests that can change the user's account state by submitting RSVPs, combining cookies with scraped CSRF tokens and trying multiple endpoints/payload formats until one succeeds. In an agent skill context, this is more dangerous than passive retrieval because it automates account actions on a third-party service with limited transparency and no visible in-file confirmation step.

Missing User Warnings

High
Confidence
83% confidence
Finding
The guest-list function accesses potentially non-public attendee data using authentication cookies, which raises a meaningful privacy risk. In the skill context, scraping attendee identities from private pages is more sensitive than ordinary event metadata because it exposes third-party personal data and could be abused for profiling or unauthorized collection.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Automatically retrieving stored cookies from a password manager without any user-facing disclosure is security-relevant because it silently accesses credentials rather than requiring explicit input. In this skill, that makes authenticated scraping more dangerous by enabling secret use and account access with less user awareness.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file defines tool metadata that exposes account-affecting actions such as RSVP submission and adding events to a Google Calendar, but the descriptions contain no indication that callers should obtain explicit user confirmation before invocation. In an agent setting, this increases the risk of unintended external side effects from ambiguous prompts, prompt injection, or autonomous tool selection, especially because these actions modify third-party accounts rather than just reading data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
`geocodeLocation` sends raw user-supplied location strings to Nominatim, which is a third-party external service. If those strings contain home addresses or other sensitive location data, the skill can disclose user data to an external party without explicit consent or a clear privacy boundary.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.