calendar-audit

[Skill Scanner] Backtick command substitution detected This skill's stated purpose (calendar auditing to protect deep work) is consistent with most capabilities described (screenshots, ICS parsing, using calendar CLIs or APIs). The main security concern is operational: the skill requires access to sensitive calendar data and may execute local CLI commands or call MCP connectors whose trust boundary is unspecified. Those capabilities are proportionate for the feature set only if: (a) MCP connectors are official or run locally, (b) OAuth/token handling is secure and explicit to the user, (c) any remote vision/OCR service is disclosed and trusted, and (d) command execution is limited to the documented calendar commands. Because the documentation does not specify these safety controls, there is a meaningful risk of credential harvesting or data exfiltration if an implementation or connector is malicious or misconfigured. Recommend treating this skill as suspicious until MCP and connector implementations and storage semantics are audited; do not grant broad shell or network access to it without verification.