gcal-skill
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute a Python script (
gcal_skill.py) for all calendar operations. These operations include fetching event lists, searching, and modifying calendar data. - [CREDENTIALS_UNSAFE]: The skill manages sensitive OAuth 2.0 credentials and access tokens.
- It reads client secrets from
~/.claude/skills/gcal-skill/credentials.jsonor reuses them from a relatedgmail-skilldirectory. - It stores persistent OAuth tokens as JSON files in
~/.claude/skills/gcal-skill/tokens/to maintain session access. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests untrusted data from an external source (Google Calendar).
- Ingestion points: Data enters the agent's context through functions like
cmd_today,cmd_week,cmd_agenda, andcmd_searchingcal_skill.py, which retrieve event titles, descriptions, and attendee lists. - Boundary markers: Explicit delimiters or 'ignore instructions' warnings are absent when displaying event data to the agent. However,
SKILL.mddoes mandate a human confirmation step before performing write actions (event creation). - Capability inventory: The skill has the capability to modify state via
cmd_create,cmd_delete, andcmd_updatefunctions ingcal_skill.py. - Sanitization: The script does not perform sanitization or filtering of the retrieved event content before presenting it to the agent.
Audit Metadata