gcalcli-calendar
Pass
Audited by Gen Agent Trust Hub on Mar 31, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands using the
gcalclitool, including the use of the--iamaexpertflag to perform non-interactive deletions. This bypasses built-in tool safeguards and relies entirely on the agent's interpretation of the user's intent. - [COMMAND_EXECUTION]: Complex shell commands are constructed using string interpolation and piping (e.g.,
echo '...' | gcalcli import). This pattern introduces a potential for command injection if the agent does not properly escape characters in event titles, descriptions, or search queries provided by the user. - [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted data from Google Calendar (event titles, descriptions) via
gcalcli agendaandgcalcli search. This data is then processed to determine which events to delete or modify. The skill lacks explicit boundary markers or instructions to ignore embedded commands within the processed event data. A maliciously crafted calendar event could attempt to trick the agent into performing unauthorized actions. - [SAFE]: The skill relies on
gcalcli, a well-known and widely used open-source CLI tool for Google Calendar management. - [SAFE]: Network activity is restricted to official Google API endpoints (
googleapis.com) as handled by the underlyinggcalclitool. No unauthorized external communication or data exfiltration patterns were detected.
Audit Metadata