Trip Calendar

Security checks across malware telemetry and agentic risk

Overview

This skill is a small, disclosed calendar helper that creates Google Calendar travel events only after user confirmation, with some setup and correctness cautions.

Install only if you already use and trust the gog CLI with the intended Google account. Before confirming event creation, review every event title, date, time, timezone, location, and description, and be especially careful with untrusted itinerary text or trips outside IST.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The activation phrases include very generic language such as "add to calendar" and "put this on my calendar," which can easily match routine calendar requests outside the trip-specific scope. In an agentic system that can invoke gog to create calendar entries, this increases the chance of incorrect skill activation and unintended writes to the user's Google Calendar.

Natural-Language Policy Violations

Medium

Confidence: 87% confidence
Finding: The rule to always use IST (+05:30) hardcodes a timezone regardless of the trip's actual geography or the user's calendar settings. This can silently create incorrect event times for flights, hotels, and activities, causing missed travel events or schedule confusion, especially for international itineraries.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal