Back to skill

Security audit

calender-memo

Security checks across malware telemetry and agentic risk

Overview

This calendar skill is mostly a local memo tool, but it also starts automatic Feishu push reminders and builds a shell command from reminder text without clear install-time consent.

Review before installing. Use it only if you intentionally want calendar reminder text sent through Feishu from your OpenClaw environment, and avoid entering sensitive schedule details unless the skill is changed to require explicit opt-in, provide a disable control, and replace shell exec with a safer API or argument-based command call.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill is presented as a simple local calendar/memo tool, but the noted behavior includes external command invocation, proactive Feishu message sending, and a background scheduler that triggers reminders automatically. That mismatch is dangerous because users and the host system may grant trust or permissions based on the declared local-only purpose, while the actual behavior introduces outbound actions and autonomous execution not transparently disclosed.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is presented as a local calendar/memo tool, but it exfiltrates reminder content to an external Feishu channel. This expands the trust boundary without disclosure and can leak sensitive schedule details, contacts, or personal plans to external systems unexpectedly.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The module invokes an external shell command to send messages, giving the skill command-execution capability unrelated to a local memo/notebook function. Even though quotes are partially escaped, shelling out increases attack surface and can enable command injection or abuse of local tooling and credentials if event content is attacker-controlled.

Intent-Code Divergence

Medium
Confidence
79% confidence
Finding
The comment confirms the design has shifted from returning reminders locally to pushing them directly outward, which contradicts the declared local-only purpose. This indicates intentional hidden scope expansion and increases the likelihood that users will be unaware their reminder data leaves the local environment.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger conditions and keywords are broad enough to match normal conversation about plans, reminders, or daily schedules, which can cause the skill to activate unexpectedly. In a memory-writing skill, over-triggering is risky because benign conversation may be stored, modified, or acted on without the user's clear intent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill states that schedule data is persisted locally in MEMORY.md, but it does not clearly present this as an ongoing privacy and retention warning to the user. Calendar and reminder data can contain sensitive personal, professional, and location information, so insufficient disclosure increases the risk of users unknowingly storing sensitive data on disk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code automatically sends external messages without any explicit warning, consent, or per-destination confirmation. In a calendar context, reminders often contain sensitive personal or business information, so silent transmission materially increases privacy and data-handling risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
reminder.js:20