The Agent Skills Directory

[Data Exposure & Exfiltration] (HIGH): The skill accesses and stores sensitive OAuth client secrets and session tokens at ~/.config/google-calendar/credentials.json and ~/.config/google-calendar/token.json. These files contain long-lived credentials that provide persistent access to the user's Google account and are vulnerable to exposure if the agent environment is compromised.
[Indirect Prompt Injection] (HIGH): The skill is designed to ingest and process data from the Google Calendar and Tasks APIs, which frequently contain untrusted content created by third parties.
Ingestion points: Data is retrieved from the Google Calendar API and Google Tasks API via the gcal script.
Boundary markers: No delimiters or instructions to ignore embedded commands are specified when processing event summaries or task titles.
Capability inventory: The skill includes tools to delete-event, update-event, delete-task, and update-task. It also provides a generic call command for arbitrary API interactions.
Sanitization: There is no evidence of input validation or sanitization for external data before it is processed or used in decision-making.
[Unverifiable Dependencies & Remote Code Execution] (MEDIUM): The scripts/requirements.txt file specifies external dependencies including google-auth, google-auth-oauthlib, and requests. While these are widely used libraries, they are installed from the public PyPI registry at runtime, which introduces a dependency-based attack surface.
[Command Execution] (LOW): The documentation requires the execution of multiple shell scripts (gcal, gcal-auth) and the management of a Python virtual environment, which increases the operational attack surface of the agent.

google-calendar