note-calendar
Fail
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The scripts in the bin/ directory (cal-add, cal-move, and cal-query) use unquoted shell heredocs (<< PYEOF) to pass variables to Python. This allows the system shell to perform variable expansion and execute commands contained within inputs like $TITLE or $START_RAW before they reach the Python interpreter. Since calendar titles can be sourced from external invites or shared calendars, this creates a high-risk command injection vulnerability.
- [DYNAMIC_EXECUTION]: The skill generates and executes AppleScript strings at runtime using osascript. These strings are constructed by interpolating shell variables that have not been safely escaped for shell expansion, enabling an attacker to manipulate the generated script and perform unauthorized actions within the Calendar application or the broader system.
- [INDIRECT_PROMPT_INJECTION]: The skill lacks sufficient sanitization for data ingested from external sources like the macOS Calendar. An attacker could potentially influence calendar event content to exploit the command injection vulnerabilities when the user performs syncing or planning tasks.
- Ingestion points: cal-query outputs used in SKILL.md functionality.
- Boundary markers: None.
- Capability inventory: Subprocess execution in utility scripts and osascript automation.
- Sanitization: Insufficient; the skill relies on basic string replacement that does not account for shell-level variable expansion.
Recommendations
- AI detected serious security threats
Audit Metadata