caldav-calendar
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on executing system binaries vdirsyncer and khal to perform calendar synchronization and management tasks.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests and processes calendar event data (titles, descriptions, locations) from external CalDAV servers.
- Ingestion points: Remote CalDAV servers (iCloud, Google, Fastmail, Nextcloud) via vdirsyncer, which are then read by the agent through the khal CLI tool.
- Boundary markers: The skill provides no delimiters or explicit instructions to help the agent distinguish between calendar data and operational instructions.
- Capability inventory: The agent can execute shell commands (vdirsyncer, khal), read local configuration files (e.g., ~/.config/vdirsyncer/config), and delete local database files (rm ~/.local/share/khal/khal.db).
- Sanitization: Calendar content is not sanitized or escaped before being processed by the agent, allowing instructions embedded in calendar events to potentially influence agent behavior.
Audit Metadata