py-googlecalendar-cli

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Google Calendar command-line skill that does what it advertises, though it can read and change real calendar data when given OAuth credentials.

Install only if you want this skill or an agent using it to manage your Google Calendar. Store the OAuth secret and refresh token securely, avoid passing secrets in shared shells or logs, scope access to the intended calendar when possible, and review add/update/delete commands before they run.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documented update and delete commands can irreversibly modify or remove calendar events, yet the skill provides no warning about destructive behavior or the risk of acting on the wrong event ID/calendar. In agent-driven or scripted use, this omission increases the chance of accidental data loss or unauthorized changes if the tool is invoked with incorrect parameters.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The setup instructions ask users to export OAuth client credentials and a refresh token, but do not warn that these are highly sensitive secrets that can grant ongoing access to calendar data. Without handling guidance, users may expose tokens via shell history, logs, screenshots, shared environments, or misconfigured agent tooling, leading to account compromise or unauthorized calendar access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal