cal-com-automation
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: Indirect prompt injection surface detected in SKILL.md. The skill processes data from external Cal.com resources and user-provided attendee details, which are used to populate tool parameters. Evidence:
- Ingestion points: External data enters the agent context via tools like CAL_FETCH_ALL_BOOKINGS, CAL_RETRIEVE_WEBHOOKS_LIST, and CAL_GET_TEAMS_LIST.
- Boundary markers: The skill instructions do not specify the use of delimiters or 'ignore embedded instructions' warnings for processed data.
- Capability inventory: The skill can perform network operations via CAL_POST_NEW_BOOKING_REQUEST, CAL_UPDATE_WEBHOOK_BY_ID, and CAL_DELETE_WEBHOOK_BY_ID across various workflows.
- Sanitization: There are no explicit instructions for sanitizing, escaping, or validating external content before interpolation into tool calls.
- [EXTERNAL_DOWNLOADS]: The skill requires connection to an external MCP server at https://rube.app/mcp to provide the automation tools.
Audit Metadata