booking-notify
Fail
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill manages system persistence by configuring
launchdfor periodic sync tasks. It also performs administrative operations such as building binaries withbun installand deploying services viagcloud run deploy.\n- [CREDENTIALS_UNSAFE]: Sensitive tokens for Telegram, Pushover, and Cal.com are stored and used as environment variables. The use of the 1Password CLI (op) to fetch these secrets still results in their exposure within the process environment.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it retrieves untrusted data from the Cal.com API (names, event titles, and notes) and interpolates it into templates without sanitization.\n - Ingestion points: Booking details (event title, attendee name, and notes) from the Cal.com API.\n
- Boundary markers: No delimiters or safety instructions are present in the notification templates.\n
- Capability inventory: The skill uses
Bashfor system commands andbunfor script execution.\n - Sanitization: No sanitization or validation of user-provided content is performed before data is sent to notification channels.
Recommendations
- AI detected serious security threats
Audit Metadata