booking-config
Pass
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: SAFE
Full Analysis
- [REMOTE_CODE_EXECUTION]: An automated alert flagged a potential RCE pattern involving
curlpiped topython3. Technical analysis of the fileSKILL.mdreveals that the output is actually piped topython3 -m json.tool. This is a standard Python module used for validating and pretty-printing JSON data; it does not execute the input as code and is considered a safe practice for CLI output formatting. - [CREDENTIALS_UNSAFE]: The skill handles sensitive Cal.com API keys using a secure method. Rather than hardcoding secrets, it retrieves them from a 1Password vault using the
opcommand-line utility at runtime (op item get ... --reveal). This aligns with industry security standards for secret management in automated scripts. - [EXTERNAL_DOWNLOADS]: The skill interacts with
api.cal.com, which is the official API for the well-known Cal.com scheduling service. These network requests are restricted to managing legitimate resources like event types and webhooks. - [COMMAND_EXECUTION]: The skill utilizes the
Bashtool to execute local commands including a specificcalcomCLI binary located within the plugin's directory. These commands are necessary for the skill's stated purpose and do not exhibit suspicious behavior such as privilege escalation or persistence mechanisms.
Audit Metadata