Email To Calendar

Security checks across malware telemetry and agentic risk

Overview

This email-to-calendar skill is mostly coherent, but it combines broad inbox access, automatic mailbox changes, persistent local logging, and one real shell-invocation flaw that users should review before installing.

Install only if you are comfortable granting the skill access to read email bodies, modify inbox state, and create/update calendar events. Prefer forwarded-email mode over direct inbox scanning, disable mark-read/archive until tested, review attendee and deadline-notification settings, and treat the shell=True validation path as a bug that should be fixed before using it in a sensitive environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (34)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: else: print(f"Orphaned event detected: {event_id} - removing from tracking", file=sys.stderr) if script_dir: subprocess.run( f'{script_dir}/delete_tracked_event.sh --event-id "{event_id}"', shell=True, capture_output=True )
Confidence: 98% confidence
Finding: subprocess.run( f'{script_dir}/delete_tracked_event.sh --event-id "{event_id}"', shell=True, cap

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill goes beyond extracting events and creating calendar entries by also sending outbound notification emails derived from email content. That expands the action surface from passive processing to active external communication, which can leak sensitive event details or links if triggered on private or maliciously crafted messages.

Context-Inappropriate Capability

Low

Confidence: 84% confidence
Finding: Persistent activity logging of processed emails, skips, and event actions creates an additional datastore of user email metadata outside the mailbox and calendar systems. Even if intended for auditability, silent logging increases privacy exposure and retention risk if the workspace is accessed by other tools or users.

Intent-Code Divergence

Medium

Confidence: 82% confidence
Finding: The module is presented as an email-to-calendar support layer, but it includes a generic outbound email capability that enables exfiltration or impersonation actions unrelated to calendar extraction. In an agent skill context, this expands privileges beyond the apparent purpose of the component and can surprise reviewers or users who expect read-only/calendar-oriented behavior.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The instruction to 'Log all scanning activity silently for audit trail' introduces undisclosed monitoring and retention of potentially sensitive email-derived metadata or content. In an email-processing skill, silent logging is especially risky because users may not expect mailbox activity to be recorded outside the mail system, increasing privacy and data-handling exposure.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The configuration defaults indicate automatic marking-as-read, archiving, and auto-processing of calendar reply emails without a clear user-facing warning or explicit consent. These actions modify the user's mailbox state and can hide messages or alter workflows, which is dangerous in a skill that operates over personal communications.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The setup flow explicitly recommends defaults that modify the user's mailbox by marking emails as read, archiving them, and optionally auto-processing calendar replies, while encouraging users to 'Just press Enter' to accept them. In a skill that reads and transforms email into calendar events, silent mailbox mutation can cause loss of visibility, missed messages, and accidental processing of important correspondence.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The manual configuration examples enable automatic disposition of calendar reply emails and other mailbox state changes without prominently warning that the skill will alter or hide messages after processing. Users copying these examples may unknowingly deploy a configuration that suppresses email visibility and makes review or recovery harder.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: Scanning all unread emails for event indicators is broader than necessary for the stated function and can cause the skill to process unrelated or sensitive messages. This increases privacy risk and makes prompt-triggered extraction easier to abuse, especially in inboxes containing personal, legal, medical, or financial content.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The skill advertises broad inbox monitoring and silent activity logging without a prominent user-facing privacy warning commensurate with the sensitivity of email content. Because email bodies, URLs, subjects, and derived actions may be persisted and reused, users may not understand the extent of collection, monitoring, and downstream processing.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger list includes very generic phrases such as "check emails" and "scan inbox," which can cause the skill to activate in situations broader than a user likely intends. In a skill that requests email-reading and calendar-writing capabilities, overbroad invocation increases the chance of unnecessary inbox access and unintended calendar modifications.

Natural-Language Policy Violations

Medium

Confidence: 94% confidence
Finding: The description explicitly advertises "silent activity logging," which indicates user actions or email-derived data may be recorded without clear consent, visibility, or stated limitation. Because this skill handles inbox contents and calendar data, silent logging can expose sensitive personal or business information and create a privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The document explicitly instructs the system to delete an existing calendar event or modify its title when cancellation language is detected, but it provides no user confirmation, audit step, or safety guard before making a destructive change. In an email-extraction skill, this is risky because forwarded or malformed emails can be misparsed, causing unauthorized event deletion or silent corruption of calendar data.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The workflow explicitly writes extracted contents from forwarded emails into persistent memory files, including potentially sensitive metadata and task details, without any consent, retention notice, or minimization step. In an email-processing skill, this creates a real privacy and data-governance risk because forwarded emails may contain confidential business information, personal data, or client details that remain stored beyond the immediate task.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The calendar creation step propagates email-derived content into a calendar event description and sends updates to configured attendees, which can externally share information from the forwarded email without explicit confirmation of recipients or privacy implications. This is especially risky because the description includes sender identity, meeting details, and action items taken from the email, potentially disclosing sensitive internal or client information to unintended parties.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script records email-related activity, including IDs, subjects, titles, and reasons, into a local audit log without any runtime disclosure, consent prompt, or visible notice to the user. In an agent skill context, silent collection of potentially sensitive metadata can enable covert monitoring, privacy violations, and unintended retention of user data, especially if the log file is readable by other local processes or backed up elsewhere.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script creates or updates calendar events immediately based on provided inputs, modifying external user data without any inline confirmation, dry-run mode, or guardrail at the execution point. In an agent context, this makes unintended or manipulated inputs more dangerous because a mistaken invocation can silently create meetings, alter schedules, and invite third parties.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: After event creation, the script automatically updates invite status and dispositions the related email, potentially marking it read or archiving it without a clear user-facing warning or opt-in. In an automation skill, this hidden side effect can destroy auditability of inbox state, suppress visibility of important messages, and make social-engineering or misclassification errors harder for the user to detect and recover from.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The script exposes an option to search email bodies and forwards that request directly to the backend without any warning, confirmation, or policy check. In an agent skill context, this increases the chance of over-collecting sensitive message content, especially if higher-level callers invoke --include-body automatically or with broad queries.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This script forwards the recipient, subject, and body directly to an external email provider via a Python helper without any user-facing notice, confirmation, or consent check. In an agent setting, that can cause sensitive or user-supplied content to be exfiltrated to a third-party service unexpectedly, especially if the caller does not realize email transmission leaves the local trust boundary.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The code persists email-derived metadata such as email IDs, subjects, skip reasons, event titles, and timestamps to fixed files under the user's home directory without any notice, consent flow, minimization, or retention controls beyond session count. In an email-processing skill, this creates a real privacy and data-retention risk because sensitive message metadata can remain on disk and be exposed to other local users, backups, endpoint collection tools, or later compromise of the host.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The delete path performs calendar event deletion immediately once an `event_id` is supplied, with no confirmation, preview, or safeguard against accidental or misdirected destructive actions. In an agent skill context, this is more dangerous because automated or LLM-driven flows can misidentify events, causing irreversible deletion or loss of scheduling data.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: When attendees are added, the code automatically enables `--send-updates all` if the CLI supports it, but there is no explicit user-facing disclosure or consent gate. In an agent-driven workflow, this can unintentionally send external notifications or emails to real recipients, leaking meeting details and creating integrity/reputation issues.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The code persists calendar event details and source email linkage to a JSON file under the user's home directory, creating a local audit trail that may expose sensitive scheduling and message metadata if the host is shared, backed up insecurely, or accessed by other local processes. In this skill context, the data is directly tied to email-derived calendar actions, so retaining it without minimization, encryption, permission hardening, or explicit disclosure increases privacy risk beyond what users may expect from an undo feature.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: Delete operations intentionally retain the pre-deletion event data in the changelog so the action can be undone, which means information a user may believe was removed continues to exist on disk. In an email-to-calendar skill, deleted entries can still contain sensitive meeting titles, times, and related context, making this persistence a meaningful privacy and data-retention issue.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal