Zoom Calendar

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but it modifies Zoom and Google Calendar using powerful credentials and has implementation flaws users should review first.

Review before installing. Use it only with Zoom and Google accounts you are comfortable modifying, verify the exact calendar event ID and timezone before running it, and consider hardening the script to generate JSON with jq and to clean temporary token files with a trap.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The invocation description is broad enough to match generic Zoom or Google Calendar requests, which can cause the skill to run in situations where the user did not explicitly ask to create or modify meetings. Because the skill can use credentials and shell execution to change external state, over-triggering increases the risk of unauthorized calendar changes or meeting creation.

Natural-Language Policy Violations

Medium

Confidence: 89% confidence
Finding: The skill assumes the Jerusalem timezone when the input omits timezone data, without user opt-in or validation. This can silently schedule meetings at the wrong time, causing mis-coordination, missed meetings, or unintended disclosure if participants join at incorrect times.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal