Back to skill

Security audit

Calendar Setup

Security checks across malware telemetry and agentic risk

Overview

This is mostly a calendar setup guide, but it asks for broader Google account access and includes unsafe handling of long-lived OAuth secrets.

Review before installing. Use only if you intentionally want the agent to have owner Google Calendar write access, prefer calendar-only OAuth scopes, avoid the deployment-specific credential-file workaround, never paste or print refresh tokens or client secrets, and revoke Google access when it is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is scoped as Google Calendar setup, but it embeds broader Gmail and Google Workspace operational guidance, including message search and send examples. This unnecessarily expands the agent's effective capabilities and increases the chance the skill is used to access or act on unrelated owner data beyond the stated calendar-setup purpose.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Including Gmail search and send commands in a calendar-setup skill introduces unrelated email access and action capability. In context, this is dangerous because an operator following the skill may authorize or use broad mailbox access when only calendar setup is needed, violating least privilege and expanding the blast radius of misuse.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The direct API workaround instructs reading stored OAuth client credentials and refresh tokens from a local file and using them to mint access tokens for the owner's Google data. This is highly sensitive secret handling that enables durable unauthorized access if copied, exposed, or reused, and it bypasses safer interactive authentication flows.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill requests gmail, calendar, drive, and contacts scopes during account addition even though the stated purpose is calendar setup. Overbroad OAuth scopes violate least privilege and expose substantially more owner data and actions than necessary if the agent, credential store, or tokens are misused.

Missing User Warnings

High
Confidence
99% confidence
Finding
The instructions direct handling of client secrets and refresh tokens from a credentials file without strong safeguards, despite those values being reusable authentication secrets. Even if the file contents are not meant to be printed, telling operators to read and use them materially increases the risk of leakage, mishandling, and persistent compromise of the owner's account.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to use reusable OAuth credentials and refresh tokens from a local file to access the owner's Google account. In this context, that is especially dangerous because the skill is meant for a high-trust personal assistant workflow, so misuse would grant ongoing access to private calendar and potentially other Google data without re-consent.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.