calcom-access
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes various shell commands to build a local CLI binary using 'bun' and interacts with the 1Password CLI ('op') to retrieve and store API credentials.
- [EXTERNAL_DOWNLOADS]: During the setup phase, the skill runs 'bun install' which downloads software dependencies from the public npm registry to build the Cal.com CLI tool.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) by processing untrusted data from the Cal.com API.
- Ingestion points: External data enters the agent's context through the output of commands like '$CALCOM_CLI bookings list' and 'event-types list', which may contain attacker-controlled strings in booking titles or descriptions.
- Boundary markers: No boundary markers or 'ignore' instructions are used when processing the CLI output.
- Capability inventory: The skill is granted 'Bash' and 'Write' permissions, which could be exploited if the agent follows instructions embedded in API responses.
- Sanitization: There is no evidence of sanitization, filtering, or validation performed on the data retrieved from the Cal.com API before it is processed by the agent.
Audit Metadata