calcom-access
Warn
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes
bun installandbun run buildto compile a local CLI tool within the plugin directory. This involves running installation and build scripts which may execute arbitrary code. - [DATA_EXFILTRATION]: The skill provides logic to discover and retrieve credentials from 1Password using the
opCLI. It specifically targets the 'Claude Automation' vault to access Cal.com API keys and other sensitive infrastructure secrets. - [PROMPT_INJECTION]: The 'Self-Evolving Skill' instruction directs the agent to modify the
SKILL.mdfile to fix errors or drift. This capability could be exploited by an attacker to make the agent persistently alter its own security instructions or behavior. - [EXTERNAL_DOWNLOADS]: The use of
bun installinitiates downloads of external packages from the npm registry during the preflight setup process. - [COMMAND_EXECUTION]: The skill uses
mise trustto automatically authorize and load environment variables from.mise.local.toml. This bypasses manual verification of environment configurations that reference multiple sensitive services including GCP, Supabase, and Telegram. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from the output of
op item list(specifically item titles) and processes it to make configuration decisions without boundary markers or sanitization.
Audit Metadata