google-calendar
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Metadata Poisoning] (MEDIUM): There is a deceptive discrepancy between the skill documentation in
SKILL.mdand the actual implementation. The documentation claims the skill uses thegoogle-api-python-clientlibrary and thebuild()function for API interaction, whereas the scriptsscripts/google_calendar.pyandscripts/refresh_token.pyactually useurllib.requestto manually perform REST calls. This misleading metadata can cause misjudgment of the skill's dependencies and internal behavior. - [Indirect Prompt Injection] (LOW): The skill possesses a surface for indirect prompt injection by ingesting untrusted data from an external API.
- Ingestion points:
scripts/google_calendar.py(via thelist_eventsfunction which retrieves event summaries and descriptions). - Boundary markers: Absent. The skill does not provide any delimiters or instructions to help the agent distinguish between calendar data and system instructions.
- Capability inventory: The skill can perform authenticated HTTP requests (GET, POST, PUT, DELETE) and has file-write access to
~/.config/google-calendar/secrets.env. - Sanitization: Absent. While IDs are URL-encoded for API safety, the textual content of the events is not sanitized or validated before being passed to the agent's context.
- [External Downloads] (LOW):
SKILL.mdinstructs users to install several Google-owned Python packages. Although these are from trusted sources, they are unnecessary as the provided code does not utilize them, contributing to the metadata discrepancy.
Audit Metadata