Trust Assessment
email-to-calendar received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 25 findings: 7 critical, 5 high, 12 medium, and 1 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Missing required field: name.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings25
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/tonimelisma/email-to-calendar/scripts/utils/calendar_ops.py:39 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/tonimelisma/email-to-calendar/scripts/utils/calendar_ops.py:53 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/tonimelisma/email-to-calendar/scripts/utils/email_ops.py:39 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/tonimelisma/email-to-calendar/scripts/utils/event_tracking.py:170 | |
| CRITICAL | Shell Command Injection via `date -d` The `scripts/check_duplicate.sh` script constructs a `date` command using `date -d "$ISO_DATE -1 day"`. The `$ISO_DATE` variable is derived from user-controlled input (the `DATE` argument, which originates from email content). If an attacker can inject shell metacharacters into the date string, they can execute arbitrary commands on the system. For example, if `ISO_DATE` is crafted as `2026-02-11; rm -rf /`, the `date` command would execute `rm -rf /`. Sanitize or validate `$ISO_DATE` before using it in shell commands, or use a safer method for date manipulation that does not involve direct shell interpolation. Consider passing date components as separate arguments to a Python script for processing. | LLM | scripts/check_duplicate.sh:40 | |
| CRITICAL | Python `exec` Injection via `python3 -c` The `scripts/check_duplicate.sh` script executes a Python one-liner using `python3 -c "..."`. It directly interpolates shell variables (`$TITLE_KEYWORDS`, `$ISO_DATE`, `$TIME`) into the Python code string. If these variables, which are derived from user-controlled email content, contain characters that can break out of Python string literals (e.g., `"` followed by Python code), an attacker could inject and execute arbitrary Python code. Avoid direct interpolation of user-controlled data into `python3 -c` commands. Instead, pass data as command-line arguments to the Python script (e.g., `python3 script.py --title "$TITLE_KEYWORDS"`) and parse them safely within Python, or use a temporary file to pass the data. | LLM | scripts/check_duplicate.sh:58 | |
| CRITICAL | Shell Command Injection via `subprocess.run(shell=True)` with f-string The `scripts/utils/event_tracking.py` script uses `subprocess.run(f'{script_dir}/delete_tracked_event.sh --event-id "{event_id}"', shell=True, ...)` to execute a shell command. The `event_id` variable is directly interpolated into the command string using an f-string, and `shell=True` is enabled. If `event_id` (which can originate from external calendar systems) contains shell metacharacters (e.g., `"; rm -rf /"`), an attacker can execute arbitrary shell commands. Never use `shell=True` with f-strings or string concatenation when any part of the command string originates from untrusted input. Instead, pass the command and its arguments as a list to `subprocess.run` (e.g., `subprocess.run([f'{script_dir}/delete_tracked_event.sh', '--event-id', event_id])`) and remove `shell=True`. | LLM | scripts/utils/event_tracking.py:130 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_check_send_updates_support'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/tonimelisma/email-to-calendar/scripts/utils/calendar_ops.py:39 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_run_gog_command'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/tonimelisma/email-to-calendar/scripts/utils/calendar_ops.py:53 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_run_gog_command'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/tonimelisma/email-to-calendar/scripts/utils/email_ops.py:39 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'lookup_events'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/tonimelisma/email-to-calendar/scripts/utils/event_tracking.py:170 | |
| HIGH | Potential `jq` Filter Injection in LLM Instructions The `SKILL.md` provides an example instruction for the LLM: `jq -e ".extractions[] | select(.email_id == \"$EMAIL_ID\")" "$INDEX_FILE"`. This pattern directly interpolates the `$EMAIL_ID` variable into a `jq` filter string. If the LLM follows this instruction and `$EMAIL_ID` contains `"` or `\` characters, it could lead to `jq` filter injection, allowing an attacker to manipulate the `jq` query logic. While `jq` is not a shell, manipulating its filters can lead to data exfiltration or denial of service by altering how JSON data is processed. When constructing `jq` filters with dynamic values, ensure that the values are properly escaped for `jq`'s syntax. A safer approach is to pass the dynamic value as a `jq` variable using `--arg` or `--argjson` (e.g., `jq --arg email_id "$EMAIL_ID" '.extractions[] | select(.email_id == $email_id)'`). Update the `SKILL.md` example to reflect this secure pattern. | LLM | SKILL.md:63 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/tonimelisma/email-to-calendar/scripts/utils/calendar_ops.py:5 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/tonimelisma/email-to-calendar/scripts/utils/common.py:5 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/tonimelisma/email-to-calendar/scripts/utils/disposition_ops.py:5 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/tonimelisma/email-to-calendar/scripts/utils/email_ops.py:5 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/tonimelisma/email-to-calendar/scripts/utils/json_store.py:5 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/tonimelisma/email-to-calendar/scripts/utils/undo_ops.py:5 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/tonimelisma/email-to-calendar/SKILL.md:1 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/tonimelisma/email-to-calendar/scripts/create_event.sh:44 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/tonimelisma/email-to-calendar/scripts/delete_tracked_event.sh:9 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/tonimelisma/email-to-calendar/scripts/list_pending.sh:20 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/tonimelisma/email-to-calendar/scripts/lookup_event.sh:12 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/tonimelisma/email-to-calendar/scripts/update_invite_status.sh:15 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/tonimelisma/email-to-calendar/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/e03a520bfa68eff7)
Powered by SkillShield