caldav-calendar
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- Indirect Prompt Injection (HIGH): The skill processes untrusted data from external CalDAV servers.
- Ingestion points: Data enters the agent's context through
khal listandkhal search(found in SKILL.md), which read event titles, descriptions, and locations. - Boundary markers: None. The instructions do not define delimiters or warn the agent to ignore instructions embedded in event data.
- Capability inventory: The agent can execute shell commands (
vdirsyncer,khal), write to the local filesystem (ICS files), and synchronize local state back to remote servers. - Sanitization: None. The skill does not provide mechanisms to filter or sanitize calendar content before the agent processes it.
- Credentials Unsafe (MEDIUM): The documentation explicitly references reading sensitive credentials from the filesystem.
- Evidence: The example configuration in SKILL.md uses
password.fetch = ["command", "cat", "~/.config/vdirsyncer/icloud_password"], pointing the agent directly to a file containing a plaintext password. - Command Execution (LOW): The skill relies on executing system binaries (
vdirsyncer,khal). While these are legitimate tools, the agent is granted permission to perform arbitrary synchronization and deletion operations on the user's calendar data.
Recommendations
- AI detected serious security threats
Audit Metadata