The Agent Skills Directory

[CREDENTIALS_UNSAFE] (MEDIUM): The skill is designed to store OAuth 2.0 refresh tokens and Client Secrets in the accounts/ and references/ directories. These are long-lived sensitive credentials stored in plain text JSON files on the local filesystem. While the documentation suggests adding these to .gitignore, their existence on disk remains a security risk for credential exposure.
[Indirect Prompt Injection] (LOW): The skill fetches and displays calendar event data (summaries, descriptions) from external APIs. This untrusted data is interpolated into the agent's context without sanitization.
Ingestion points: fetch_events.py reads data from the Google Calendar API.
Boundary markers: Absent. The skill does not use delimiters or instructions to ignore embedded commands in event data.
Capability inventory: manage_events.py provides create, update, and delete capabilities, which could be exploited if the agent follows instructions hidden in a calendar event.
Sanitization: Absent. Event strings are used directly for display and processing.
[COMMAND_EXECUTION] (LOW): The skill relies on uv run python to execute local helper scripts (setup_auth.py, fetch_events.py, manage_events.py). This is the intended operation of the skill but involves executing code with the user's local environment privileges.

google-calendar