Back to skill

Security audit

Calendar Extractor

Security checks across malware telemetry and agentic risk

Overview

This calendar skill appears purpose-built, but it automatically processes sensitive voice and keyboard transcripts broadly enough that users should review it carefully before installing.

Install only if you are comfortable with HiJavis automatically inspecting completed voice and keyboard transcripts, not just explicit calendar requests. Confirm that you can disable the skill, understand where pushed event cards and pending rows are stored, and are comfortable with transcript-derived event details appearing in iOS chat before you confirm or discard them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The invocation examples are extremely generic phrases like "today's meetings" and "What meetings do I have coming up?", which can easily overlap with normal conversation rather than an intentional skill invocation. In a system that monitors chats or recordings, broad triggers increase the chance of unintended activation and surprise processing of sensitive conversation-derived data.

Missing User Warnings

High
Confidence
96% confidence
Finding
The README says the skill scans recent recordings and conversations to extract plans, but it does not prominently warn users about the privacy implications of analyzing potentially sensitive speech content. Because the skill operates on recorded conversations and meetings, missing disclosure can lead to users unknowingly exposing personal, family, work, or third-party information to automated processing.

Vague Triggers

High
Confidence
94% confidence
Finding
The skill is configured to auto-run on every completed audio or keyboard unit and explicitly lets the skill itself decide relevance after seeing transcript content. That creates an overly broad trigger surface where sensitive user text can be processed and acted on without a narrow server-side predicate, increasing the chance of unintended extraction and delivery of private events.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The route match string includes broad concepts like meetings, agenda, scheduling, and dates/times mentioned, which are common in ordinary conversation. Even if routing metadata is advisory, broad matching increases the likelihood that non-calendar conversations will invoke processing of transcript data and generate unwanted pending events.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The description advertises extracting events from recent recordings and keyboard transcripts and pushing them to chat, but it does not present a clear user-facing privacy warning or consent boundary. Because the skill handles potentially sensitive transcript content, users may not realize that recent speech and typed inputs are being harvested and mirrored into downstream systems.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The package description explicitly states the dispatcher invokes this skill for every completed unit with no classifier or route matching, meaning the skill may receive far more user data than is necessary for its purpose. Because this skill processes recent recordings and keyboard transcripts and pushes extracted content externally to an iOS chat, broad invocation materially increases privacy and data-exposure risk if irrelevant or sensitive units are processed.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill automatically harvests completed audio and keyboard units, extracts event data, and transmits results without a per-request user ask. Although events are marked pending before confirmation, the privacy exposure already occurs at fetch, extraction, mirroring to /api/skill/data, and push to chat, so Confirm/Discard does not prevent initial disclosure.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
test/data.test.js:19

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/calendar-extractor.js:78