Prompt injection instructions
Warn
- Finding
- Prompt-injection style instruction pattern detected.
Calendar Sync
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches its calendar-sync purpose, but its direct Apple Calendar mode builds and runs AppleScript from document text in a way that could allow crafted input to run unintended commands.
Install only if you are comfortable with document-derived data being written to Calendar/ICS files. Prefer the ICS generation path and inspect the file before importing. Do not use direct AppleScript registration with untrusted document data until the script safely validates and escapes all fields.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
If direct AppleScript mode is used on macOS, a malicious or malformed document title/date could break out of the intended Calendar event fields and run unintended AppleScript commands with the user's local permissions.
Why it was flagged
The direct-registration path takes values from structured_results.json, inserts them into an AppleScript string, and executes it with osascript. The title and deadline fields are not escaped or validated before becoming executable AppleScript.
Skill content
title = create_event_title(doc)
deadline = dates.get("deadline")
...
summary:"{title} - 마감",
start date:eventDate,
...
result = subprocess.run(
['osascript', '-e', script],Recommendation
Prefer the default ICS-file workflow for now. Before enabling direct AppleScript registration, validate dates, safely escape all AppleScript string literals, or pass values as osascript arguments rather than interpolating document text into executable code.
What this means
The skill may fail until the dependency is installed, and an unpinned package install can change behavior over time.
Why it was flagged
The script depends on the external icalendar package, but the artifact set has no install spec or version pin. This is purpose-aligned, but users should install it from a trusted source.
Skill content
from icalendar import Calendar, Event, Alarm
...
print(" pip install icalendar")Recommendation
Use a virtual environment and pin a known-good icalendar version in an install spec or requirements file.
What this means
Granting Calendar access lets the skill add events and reminders that may sync across the user's Apple devices or accounts.
Why it was flagged
The skill can use the user's local Calendar app authority to create calendars and events. This matches the stated purpose, but it is still account/app data mutation.
Skill content
tell application "Calendar"
if not (exists calendar "문서 일정") then
make new calendar with properties {name:"문서 일정"}
end if
tell calendar "문서 일정"
make new event with properties {Recommendation
Use a separate calendar such as "문서 일정", review generated events, and prefer ICS preview/import if you do not want the agent to modify Calendar directly.
What this means
Private business or document details may become part of calendar entries and may be synced or shared wherever that calendar is available.
Why it was flagged
The skill stores document summaries, financial amounts, and original file paths in calendar event descriptions or ICS files. This is disclosed and purpose-aligned, but it persists potentially sensitive document context.
Skill content
lines.append(f"요약: {doc['summary'][:200]}")
lines.append(f"금액: {amount:,.0f}원")
lines.append(f"원본: {meta['filepath']}")
...
event.add('description', description)Recommendation
Redact sensitive fields before syncing, use a local or separate calendar when possible, and avoid importing events from confidential documents unless this storage is acceptable.