Fcalendar Skill

Security checks across malware telemetry and agentic risk

Overview

This is a date and Chinese holiday helper; its trigger wording is overly broad, but the artifacts do not show sensitive access, hidden behavior, or harmful actions.

Install only if you are comfortable running the referenced PyPI package locally. Use a virtual environment, consider pinning a version, and avoid configuring the skill to activate on every casual mention of a weekday or holiday unless you want that behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

High

Confidence: 95% confidence
Finding: The trigger guidance is extremely broad: it instructs invocation whenever users mention any time-related terms, including common words like weekdays and holidays. Over-broad triggers can cause unnecessary tool execution, expand the attack surface, and route unrelated user content into an external package/CLI more often than needed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal