Back to skill

Security audit

Calctl

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Apple Calendar helper, but users should know it can create persistent calendar events.

Install only if you want an agent to interact with Apple Calendar. Before creating events, confirm the title, date, time, notes, and target calendar, prefer an explicit `--calendar` value over the default, and make sure the `calctl` command on your PATH is one you trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly supports creating calendar events, which modifies user data, but the documentation provides no warning that commands can write to Apple Calendar or alter personal/work records. In a CLI/agent context, lack of clear disclosure increases the chance of unintended or socially engineered modifications, especially because calendar data can affect schedules, reminders, and business workflows.

Natural-Language Policy Violations

Low
Confidence
73% confidence
Finding
The skill enumerates specific calendar names, including non-English labels and what appear to be real organizational/personal calendar names, assuming a fixed locale and environment. This can leak environment-specific context, encourage brittle automation against user-specific resources, and may expose sensitive naming conventions if shared broadly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.