ClawHub

Calcom

Security checks across malware telemetry and agentic risk

Overview

This is a real Cal.com integration, but it gives broad authenticated Cal.com access, including raw API requests and data-changing actions, with weak scope and confirmation guidance.

Install only if you trust Membrane and intend to give an agent delegated Cal.com access. Prefer listed read actions first, explicitly confirm create, update, cancel, DELETE, payment, credential, recording, or raw proxy requests, and revoke the Membrane/Cal.com connection when it is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest and description scope the skill as managing Cal.com users, but the body documents much broader administrative capabilities across bookings, teams, payments, credentials, organizations, workflows, invoices, recordings, and arbitrary API access. This mismatch can cause over-privileged use and unsafe invocation because a caller may authorize or trigger a skill under the assumption it is limited to user management when it is not.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The proxy-request section exposes arbitrary authenticated API calls through Membrane, effectively bypassing the safer, narrower action catalog and enabling access to any reachable Cal.com endpoint available to the connection. In a skill advertised for user/data management, this significantly expands the attack surface and can permit unintended reads, writes, or destructive actions against sensitive administrative resources.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation text is broad enough that the skill may be selected for general Cal.com interaction rather than a tightly scoped task, increasing the chance of unintended activation. Because the skill includes broad administrative functions and proxy capability, accidental activation has more security consequence than a narrowly scoped read-only integration.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal