ClawHub

Eventkit Integration

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only EventKit guide, but it teaches hidden note markers and bulk deletion patterns without enough user-consent and safety guidance.

Installing this skill will not execute code by itself, but developers should treat its examples as unsafe templates until hardened. Before using the patterns in an app, disclose any sync markers placed in notes, prefer visible or app-local metadata, provide a way to inspect and remove markers, request only the EventKit permissions actually needed, and protect bulk deletes with explicit confirmation, preview, scoped identifiers, logs, and recovery planning.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill explicitly recommends zero-width character steganography to hide identity signatures inside user-visible notes. Even if intended for sync correlation, hiding metadata in content without clear disclosure is risky because it creates covert data storage, can undermine user consent, and may leak internal identifiers through exported/shared notes. In an EventKit integration skill, this makes the behavior more concerning because it is presented as a normal integration pattern rather than an exceptional, disclosed mechanism.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The markdown instructs developers to embed hidden metadata in EventKit notes for identity tracking but does not warn that user notes will be modified with invisible content. This is dangerous because users and downstream systems may unknowingly process, share, or expose hidden identifiers, creating privacy, trust, and data-governance issues. The skill context increases the risk because note fields are commonly synced and exported across devices and services.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The batch deletion example performs large-scale reminder removal with no guidance on confirmation, dry-run mode, rollback strategy, or backup safeguards. This is dangerous because integrators may adopt the pattern directly and cause irreversible user data loss through incorrect identifiers, sync bugs, or logic errors. In an EventKit skill, destructive operations target personal calendar/reminder data, so omission of safeguards materially raises operational risk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal