for HiJavis calendar-extractor via conversation

Security checks across malware telemetry and agentic risk

Overview

This skill has a plausible calendar-summary purpose, but it handles sensitive transcripts with broad scheduled automation and an unvalidated HTTP endpoint in ways users should review before installing.

Review this before installing. Only use it if you are comfortable with scheduled access to recent meeting transcripts, with transcript-derived output being pushed to the configured service, and with an administrator-controlled HTTP_SOURCE_URL. Prefer a version that extracts only calendar fields, validates or allowlists network destinations, uses explicit opt-in triggers, and lets you choose timezone and delivery targets.

Publisher note

--- name: calendar-extractor description: >- Periodically scan recent recording sessions, extract calendar events from transcripts, and push a daily summary to your iOS chat. Triggers: "today's meetings", "calendar extract", "今日会议", "提取日历". keywords: - "today's meetings" - "calendar extract" - "今日会议" - "提取日历" - "calendar-extractor" metadata: openclaw: runtime: node: ">=18" --- # Calendar Extractor > Periodically scan recent recording sessions, extract calendar events from transcripts, and push a daily summary to your iOS chat. ## When to use - "today's meetings" - "calendar extract" - "今日会议" - "提取日历" ## Core commands ```bash # Register (first use) node scripts/register.js <userId> <name> # Run today's flow (also what the cron triggers) node scripts/calendar-extractor.js <userId> # Push management node scripts/push-toggle.js on <userId> [--time HH:MM] [--channel iOS|Telegram|Discord|Slack] node scripts/push-toggle.js off <userId> node scripts/push-toggle.js status <userId>

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The file is presented as a calendar extractor, but its actual behavior is to read all stdin transcript content, fetch arbitrary data from an environment-controlled URL, and emit both together. This mismatch is dangerous because it can disguise data collection and exfiltration behavior behind an innocuous skill name, reducing operator scrutiny and increasing the chance that sensitive transcript content is processed in unintended ways.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script performs an external fetch to a fully environment-supplied URL without any visible validation, allowlisting, or purpose-bound restriction. In an agent skill context, this creates a flexible outbound network primitive that can be repurposed to contact attacker-controlled infrastructure, retrieve untrusted payloads, or facilitate covert data movement.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly pulls transcript content and posts formatted results to an HTTP endpoint, but it does not clearly warn users that transcript-derived data and identifiers may be transmitted off-tool to internal/external services. Because transcripts can contain sensitive meeting details, names, times, and other private information, this omission creates a real privacy and consent risk, especially in an automated scheduled workflow.

Natural-Language Policy Violations

Low

Confidence: 82% confidence
Finding: The cron registration command hardcodes the timezone to America/Los_Angeles, which can cause summaries and meeting extraction runs to occur at unintended times for users in other regions. While this is not a direct code-execution or data-exfiltration flaw, it can lead to privacy and operational issues by sending meeting-derived summaries at the wrong time without meaningful user choice.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The package description and keywords include the trigger phrase "today's meetings," which is a common everyday expression that users may say in unrelated contexts. In a skill that periodically scans recordings and extracts calendar events, an overly broad trigger increases the chance of unintended activation and access to sensitive transcript-derived meeting data.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The skill depends on an environment-configured endpoint for outbound network access without any user-facing disclosure or trust boundary documentation. In this context, that makes the skill more dangerous because the endpoint can be silently redirected to sensitive internal or attacker-controlled services while the skill still appears to perform a benign calendar-related task.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal