ics-calendar-reader
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONNO_CODE
Full Analysis
- PROMPT_INJECTION (MEDIUM): The skill is designed to ingest and parse untrusted data from external iCalendar (.ics) files, creating a surface for indirect prompt injection attacks. Malicious instructions embedded in calendar fields could override the agent's primary instructions.\n
- Ingestion points: The
scripts/read_ics.pytool fetches content from URLs defined in theICS_URLSenvironment variable (file: SKILL.md).\n - Boundary markers: No boundary markers or delimiters are specified to separate untrusted event data from agent instructions. The skill explicitly instructs the agent to treat the parsed JSON as the 'source of truth'.\n
- Capability inventory: The agent is instructed to summarize and filter the parsed event data. The underlying script has the capability to make network requests to arbitrary URLs provided in the environment.\n
- Sanitization: No sanitization or filtering of the content within the
SUMMARY,DESCRIPTION, or other ICS fields is mentioned or implemented in the provided configuration.\n- COMMAND_EXECUTION (LOW): The skill workflow involves executing a Python script (scripts/read_ics.py) with various command-line arguments to parse data. This is standard functionality but represents a local execution surface.\n- NO_CODE (LOW): The executable scriptscripts/read_ics.pyreferenced in the documentation is missing from the skill package, which prevents a full security audit of the implementation logic and its handling of malformed ICS data.
Audit Metadata