Cal Com Automation

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Cal.com automation skill with disclosed account-changing capabilities, but users should be careful with webhook and booking changes.

Install only if you trust Rube/Composio to broker Cal.com access. Use the intended Cal.com account, review booking details, team names, webhook IDs, triggers, and subscriber URLs before approving changes, and treat webhook secrets as sensitive credentials that should only be used with trusted HTTPS endpoints under your control.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill instructs users how to list, inspect, update, and delete webhooks, including use of `subscriberUrl`, `eventTriggers`, and `secret`, but does not warn that webhook endpoints will receive booking-related payloads that may contain sensitive scheduling or personal data. It also mentions secrets only as a parameter, without guidance on secure generation, storage, rotation, or signature verification, which increases the risk of data exposure, misdelivery to attacker-controlled endpoints, or weak webhook authentication.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal