local-tools
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script calendar.sh executes powershell with the -ExecutionPolicy Bypass flag to run the local calendar.ps1 script. This bypasses security policies intended to restrict script execution.
- [COMMAND_EXECUTION]: On macOS, the skill dynamically assembles JavaScript for Automation (JXA) code as a string, incorporating user-provided parameters, and executes it via 'osascript'. This pattern of dynamic code assembly represents a security risk.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests data from local calendar events (titles, notes, and locations) and returns it to the agent without sanitization or protective boundary markers. * Ingestion points: scripts/calendar.ps1 (Outlook items) and scripts/calendar.sh (macOS calendar events). * Boundary markers: Absent; no delimiters are used to separate untrusted data. * Capability inventory: The agent can create, update, and delete events, and run shell scripts. * Sanitization: Absent; calendar content is passed directly to the model.
- [PROMPT_INJECTION]: The SKILL.md instructions explicitly direct the AI agent not to read or analyze the script source code, which could be an attempt to prevent the AI from identifying malicious logic or vulnerabilities within the tool's implementation.
Audit Metadata