Back to skill

Security audit

Appointment Manager

Security checks across malware telemetry and agentic risk

Overview

This appointment skill is coherent, but it asks for broad authority to book real appointments, store sensitive details, update calendars, and send reminders beyond what it clearly declares.

Install only if you are comfortable with an agent managing real appointments, storing appointment history locally, using calendar context, and sending reminders through configured channels. Before using it, require explicit confirmation for each booking, cancellation, reschedule, calendar change, and any submission of sensitive personal or medical information; avoid storing DOB, visit reasons, or medical follow-up notes unless truly necessary.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill declares only web_fetch and web_search, but instructs the agent to register cron jobs, send outbound reminders, and modify Google Calendar. This mismatch can cause the agent framework or reviewers to underestimate the skill's real authority, leading to unauthorized scheduling, messaging, or calendar-side effects if broader ambient capabilities are available.

Context-Inappropriate Capability

Low
Confidence
87% confidence
Finding
The phone-only flow claims limited assistance, but it still relies on calendar access and delayed reminder behavior outside the declared tool scope. Even if the actions are less direct than online booking, the hidden dependence on additional capabilities can mislead users and systems about what data is accessed and what follow-up actions will occur.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The front-matter name/description and invocation wording are broad enough that ordinary conversation about doctors, dentists, or reminders could activate the skill unintentionally. Because the skill can research providers, store sensitive appointment data, and potentially act on external services, accidental invocation materially increases privacy and action-taking risk.

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger list includes highly ambiguous phrases such as 'dentist', 'doctor', and 'remind me about', which are common in everyday speech and likely to collide with unrelated contexts. In this skill's context, accidental triggering is more dangerous because it can initiate handling of health-related information, local persistence, provider searches, and downstream reminder workflows.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill is designed to store and reuse sensitive appointment and health-related information, but it does not provide an upfront privacy warning or consent flow before doing so. Users may disclose medical reasons, DOB, addresses, and provider history without understanding that the data will persist in local files and be reused in future reminders.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill states that online booking is handled automatically and calendar entries may be added, but it does not foreground that the agent may act on external services on the user's behalf. Without a prominent warning and confirmation, users may not realize the agent is about to submit forms, create appointments, or alter connected accounts.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill persistently stores appointment histories, providers, reminders, and potentially medical details such as DOB, visit reasons, and follow-up notes in local markdown files. This creates a concentration of sensitive personal and health-related data that could be exposed through other skills, local compromise, overbroad access, or inadvertent reuse beyond the original purpose.

Ssd 3

Medium
Confidence
93% confidence
Finding
The reminder workflow instructs isolated jobs to read appointment records and send outbound messages containing address, timing, and preparation details. If delivery targets are misconfigured, channels are shared, or stored records are over-detailed, sensitive information can be disclosed in notifications without sufficient context-sensitive safeguards.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.