Apple Calendar CLI

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Apple Calendar helper that can read and change calendar events after the user grants macOS Calendar access.

Install only if you trust the Homebrew CLI source and want an agent to access Apple Calendar. Grant Calendar permission deliberately, use narrow date ranges or calendar filters where possible, and require the agent to show the exact target event before creating, rescheduling, or deleting anything.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill documents a `delete-event` command and destructive update workflows without an explicit confirmation or user-warning requirement before modifying or deleting calendar data. In an agent context, this increases the risk of unintended data loss because calendar operations affect real personal or work records and may be executed from ambiguous user requests.

Missing User Warnings

Low

Confidence: 86% confidence
Finding: The skill exposes commands that enumerate calendars and read full event details, including titles, locations, notes, URLs, and attendee-related context, but it provides no privacy warning or data-minimization guidance. In an agent setting, this can lead to unnecessary collection or disclosure of sensitive personal or business information from the user's calendar.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal