The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the Bash tool to execute curl commands for interacting with the Google Calendar API. It also uses jq for JSON processing and date for time calculations.
[EXTERNAL_DOWNLOADS]: The skill instructions include installing the @googleworkspace/cli package from the npm registry. This package is maintained by the googleworkspace organization, which is a well-known and trusted source. Use of this tool is optional and limited to agenda and event creation tasks.
[DATA_EXPOSURE]: The skill processes calendar data including event summaries, descriptions, locations, and attendee emails. This is inherent to the skill's purpose. It explicitly instructs the agent to treat the OAuth bearer token as a secret and avoid logging it.
[PROMPT_INJECTION]: The skill has a surface for indirect prompt injection as it ingests untrusted data from calendar event fields (summary, description). However, it uses jq for parsing and provides clear instructions for user confirmation before performing write operations, which mitigates the risk.
Ingestion points: Event data is fetched from the Google Calendar API via curl in SKILL.md.
Boundary markers: None explicitly defined for event content interpolation.
Capability inventory: The skill has Bash tool access for network requests and file operations.
Sanitization: Uses jq for structured data extraction and requires human-in-the-loop confirmation for updates or deletions.

google-calendar