The Agent Skills Directory

[COMMAND_EXECUTION]: The skill utilizes system-native scripting languages (Bash/AppleScript on macOS and PowerShell on Windows) to interact with local calendar applications. Analysis shows that these scripts use safe practices, such as passing user-supplied data as arguments to script functions rather than string concatenation, which mitigates the risk of command injection.
[EXTERNAL_DOWNLOADS]: The documentation references the installation of MCP servers (specifically @larksuiteoapi/lark-mcp) via npx for users wishing to integrate Feishu/Lark. These are documented as official tools from a well-known service provider and require explicit user action for configuration.
[DATA_EXFILTRATION]: The skill reads calendar event data, including titles, locations, and descriptions. This data is processed locally to display information to the user or to perform modifications. No evidence of unauthorized external transmission was found; network operations are limited to opening official platform URLs (e.g., Feishu Applinks).
[PROMPT_INJECTION]: The skill includes defensive instructions to confirm destructive actions (like bulk deletions) with the user and provides clear boundaries for its operations. While it processes external data from calendar events (Indirect Prompt Injection surface), its primary function is data management, and it uses structured logic for parsing.

qclaw-calendar-guide