local-tools
Warn
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The SKILL.md file contains instructions that discourage the agent from inspecting the tool's source code ("Don't read script source code to analyze issues"), which acts as a form of anti-debugging or obfuscation of the skill's actual logic.
- [COMMAND_EXECUTION]: The calendar.sh script executes PowerShell with the '-ExecutionPolicy Bypass' flag on Windows, which is a technique used to subvert local security restrictions intended to prevent the execution of unauthorized or unsigned scripts.
- [COMMAND_EXECUTION]: On Windows, calendar.sh is vulnerable to argument injection because it constructs the PowerShell command line by concatenating strings and fails to quote the expanded '$args' variable. This allows crafted input in calendar event fields (like title or notes) to alter the command's execution flow.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through calendar event data. * Ingestion points: Calendar event titles, notes, and locations are read in scripts/calendar.sh and scripts/calendar.ps1. * Boundary markers: There are no delimiters or safety instructions used when passing event data to the agent. * Capability inventory: The skill has the capability to create, list, update, and delete local system calendar entries via shell scripts. * Sanitization: There is no sanitization of the event content to prevent the agent from interpreting ingested data as system instructions.
Audit Metadata