OpenCal

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only OpenCal integration that clearly uses an API key to read and update meal logs and goals, with privacy and account-change cautions but no hidden or unrelated behavior.

Install only if you are comfortable giving your agent an OpenCal API key. The agent can read meal history, add or delete food entries, and change calorie or macro goals; keep the key private, do not set OPENCAL_BASE_URL unless you trust the endpoint, and review logged changes for accuracy.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The skill description is broad enough to trigger on ordinary food-related conversation, causing the agent to invoke a third-party nutrition service even when the user may only be chatting or asking general food questions. In this skill, that over-broad activation increases privacy risk because meal details and health-related preferences can be transmitted or modified in OpenCal without sufficiently explicit intent.

External Transmission

Medium

Category: Data Exfiltration
Content: **2. Scale to the actual amount and log:** ```bash curl -s -X POST "${OPENCAL_BASE_URL:-https://api.opencal.ai}/api/v1/food/log" \ -H "Authorization: Bearer $OPENCAL_API_KEY" \ -H "Content-Type: application/json" \ -d '{
Confidence: 91% confidence
Finding: curl -s -X POST "${OPENCAL_BASE_URL:-https://api.opencal.ai}/api/v1/food/log" \ -H "Authorization: Bearer $OPENCAL_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: -H "Authorization: Bearer $OPENCAL_API_KEY" | jq # Update (only include fields to change) curl -s -X PUT "${OPENCAL_BASE_URL:-https://api.opencal.ai}/api/v1/goals" \ -H "Authorization: Bearer $OPENCAL_API_KEY" \ -H "Content-Type: application/json" \ -d '{"calorieGoal": 1800, "proteinGrams": 160}'
Confidence: 95% confidence
Finding: curl -s -X PUT "${OPENCAL_BASE_URL:-https://api.opencal.ai}/api/v1/goals" \ -H "Authorization: Bearer $OPENCAL_API_KEY" \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal