radicale

The radicale skill is largely coherent with its stated purpose of managing a self-hosted Radicale server via CalDAV/CardDAV. Its footprint is appropriately scoped to read/write calendar events and contacts through a Python wrapper. The main security considerations are typical for a self-hosted tooling setup: credentials stored locally in a .env file with gitignore, the use of HTTP for local communications (no TLS by default), and reliance on official Python libraries installed from standard registries. These factors render the risk as MEDIUM-LOW overall (benign in intent, with normal self-hosted usage caveats). The most notable risks are plaintext local credential storage, lack of explicit TLS/transport security, and timezone handling limitations. No evidence of credential forwarding to third-party services, exploit tooling, or unauthorized data exfiltration was found. Overall, classify as BENIGN with caution due to local credentials and non-TLS defaults.