gcal
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: Commands such as
gog calendar events,gog calendar search, andgog calendar eventretrieve data (summaries, descriptions, locations) that can be controlled by external parties (e.g., via shared calendars or invitations). - Boundary markers: The skill does not define delimiters or warnings to prevent the agent from treating event content as instructions.
- Capability inventory: The skill possesses the ability to create, update, and delete events, and modify permissions via
gog calendar acl. - Sanitization: There is no evidence of content sanitization or validation for retrieved data before it is processed by the agent.
- [COMMAND_EXECUTION] (SAFE): The skill relies on executing shell commands via the
gogCLI. This is the intended behavior for the tool and is used to facilitate legitimate Google Calendar operations. No unauthorized or suspicious command patterns were detected.
Audit Metadata