gcalcli
Fail
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]:
- The skill instructs the agent to execute a custom fork of the
gcalclitool directly from a personal GitHub repository (github.com/shanemcd/gcalcli) using theuvxtool. Executing unverified code from an individual's repository instead of the official project source introduces a significant supply chain risk, as the code could be modified to exfiltrate data or perform unauthorized actions. - [EXTERNAL_DOWNLOADS]:
- The skill relies on fetching remote code from an untrusted personal GitHub account (
shanemcd) for core calendar functionality. It also references a local directory (/var/home/shanemcd/github/shanemcd/gcmd) for another tool, which suggests execution of unverified scripts outside the skill's own scope. - [COMMAND_EXECUTION]:
- The skill provides complex shell pipelines involving
xargs,sh -c, andjqto process and export calendar data. These commands execute with the user's privileges and could be vulnerable to command injection if calendar event data (like attachment URLs or titles) contains shell metacharacters. - [PROMPT_INJECTION]:
- As the skill is designed to fetch and process external data (Google Calendar events, descriptions, and attachments), it is susceptible to indirect prompt injection. Malicious instructions placed in calendar events by an external party could potentially influence the agent's behavior when it parses the output of the
gcalclitool. - Ingestion points:
gcalcli agenda --jsonandgcalcli searchoutput. - Boundary markers: None detected in the instructions to prevent the agent from following instructions found in calendar data.
- Capability inventory: Shell execution via
uvx,xargs, andsh -cacross various instructions. - Sanitization: No evidence of sanitization or escaping of event content before processing.
Recommendations
- AI detected serious security threats
Audit Metadata