cal-com-automation
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection through the processing of untrusted data from the Cal.com API.
- Ingestion points: Tools like
CAL_FETCH_ALL_BOOKINGSandCAL_GET_AVAILABLE_SLOTS_INFOingest data such as attendee names, email addresses, and event metadata provided by external users. - Boundary markers: The instructions lack specific delimiters or instructions for the agent to ignore or sanitize embedded commands within these fields.
- Capability inventory: The skill possesses significant write capabilities, including
CAL_POST_NEW_BOOKING_REQUESTandCAL_UPDATE_WEBHOOK_BY_ID, which could be abused if an injected instruction is followed. - Sanitization: There is no evidence of data sanitization or validation before the agent processes external content.
- [EXTERNAL_DOWNLOADS]: The skill requires the configuration of an external third-party MCP server.
- Finding: The setup process directs users to add
https://rube.app/mcpas a remote server. This creates a dependency on an external infrastructure not controlled by the user or the primary platform. - Context: The skill states that no API keys are required for this endpoint, suggesting the external service manages authentication or acts as a proxy for Cal.com operations.
Audit Metadata