Back to skill

Security audit

Google calender

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Google Calendar API guide that can change calendar events, but the risky capabilities are visible and match its stated purpose.

Install only if you are comfortable using a Maton API key for Google Calendar through the Maton gateway. Before running write actions, confirm the target calendar event, time zone, attendee emails, and whether invitations or update notifications should be sent, especially for deletes and external recipients.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill documents multiple state-changing calendar actions such as create, update, reschedule, attendee changes, and delete without any warning to require user confirmation or to disclose that invitations/notifications may be sent. In an agent setting, this can cause unintended calendar modification, meeting disruption, or notification spam if the instructions are followed automatically.

Natural-Language Policy Violations

Medium
Confidence
79% confidence
Finding
The skill strongly instructs use of Australia/Melbourne time zone as the default without requiring user opt-in or validating the user's actual locale. In calendar workflows, forced time-zone assumptions can lead to meetings being scheduled at the wrong real-world time, especially for users in other regions or during DST changes.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

No suspicious patterns detected.