gcal-pro
Pass
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: SAFE
Full Analysis
- [DATA_EXFILTRATION]: The skill manages sensitive Google OAuth credentials (client_secret.json) and access tokens (token.json) stored in the user's configuration directory (~/.config/gcal-pro/). These credentials are used solely for authenticating with official Google Calendar API endpoints (googleapis.com).
- [PROMPT_INJECTION]: The skill processes calendar event data (summaries and descriptions) which are external inputs. While this presents a standard surface for indirect prompt injection, it is an inherent requirement for the skill's primary calendar-management purpose. The skill includes human-confirmation steps for destructive actions like deleting events.
- [EXTERNAL_DOWNLOADS]: The skill uses well-known, legitimate Python libraries for Google API interaction and date parsing, as listed in the requirements.txt file.
Audit Metadata