The Agent Skills Directory

[Data Exposure & Exfiltration] (SAFE): No hardcoded credentials or sensitive file access patterns were found. The skill provides clear instructions for using API keys as environment variables and demonstrates proper Authorization headers using placeholders like cal_<your_api_key>. Network communication is directed solely to the official api.cal.com domain.
[Unverifiable Dependencies & Remote Code Execution] (SAFE): The skill does not include any executable scripts, binary files, or external package requirements. It consists entirely of markdown documentation files.
[Prompt Injection] (SAFE): The content is strictly instructional and related to API usage. No patterns indicating system prompt overrides, safety filter bypasses, or adversarial role-play instructions were detected.
[Indirect Prompt Injection] (SAFE): The skill enables an agent to process data from the Cal.com API, which constitutes a potential ingestion surface for external content. However, the skill describes a standard integration with a known service and contains no malicious logic to exploit this data.
Ingestion points: API responses from booking and slot endpoints (e.g., GET /v2/bookings) and incoming webhook payloads.
Boundary markers: Not specified in the documentation files.
Capability inventory: HTTP GET, POST, PATCH, and DELETE operations against the Cal.com API.
Sanitization: Not applicable as this is a reference-only skill.
[Obfuscation] (SAFE): No hidden text, zero-width characters, or encoded commands (e.g., Base64 or URL encoding) were found within the provided files.

calcom-api