booking-config
Fail
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill contains a command that fetches data from an external URL and pipes the output directly into
python3. While the script specifies-m json.tool, the automated scanner identified this as a high-risk remote code execution pattern where malicious data from the endpoint could potentially be executed if the command is modified or the module is bypassed. - [CREDENTIALS_UNSAFE]: The
CALCOM_API_KEYis passed as a plaintext query parameter in acurlrequest (?apiKey=$CALCOM_API_KEY). This is a dangerous practice as it leaks sensitive credentials in command-line history, server-side logs, and network monitoring tools. - [COMMAND_EXECUTION]: The skill relies on the execution of a local binary (
calcom) from a specific path in the user's home directory. This allows for arbitrary command execution within the agent's environment if the binary or path is compromised.
Recommendations
- HIGH: Downloads and executes remote code from: https://api.cal.com/v1/webhooks?apiKey=$CALCOM_API_KEY - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata