Trust Assessment
google-calendar received a trust score of 32/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 2 critical, 0 high, 1 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Unpinned npm dependency version, Command Injection via Unsanitized User Input in Shell Commands.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 68/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/sheldenshi/google-calendar-master/scripts/auth.ts:271 | |
| CRITICAL | Command Injection via Unsanitized User Input in Shell Commands The skill's instructions in `SKILL.md` explicitly direct the host LLM to construct and execute shell commands using user-provided input without specifying any sanitization or shell-escaping mechanisms. This allows a malicious user to inject arbitrary shell commands by including shell metacharacters (e.g., `;`, `&`, `|`, `$(...)`, `` ` ``) in their input for arguments such as `--summary`, `--start`, `--end`, `--description`, `--location`, `--attendees`, `<eventId>`, `<chosen-name>`, `[purpose]`, `DATE`, `N`, or `text`. For example, if a user provides `--summary "My meeting"; rm -rf /` for an event summary, the host LLM might construct and execute `bun run calendar.ts create --summary "My meeting"; rm -rf /`, leading to arbitrary command execution. This vulnerability applies to all commands where user input is directly embedded into the shell command string. Instruct the host LLM to rigorously sanitize and shell-escape all user-provided arguments before embedding them into shell commands. For example, specify using a language-appropriate shell escaping function (e.g., `shlex.quote` in Python, `shell_exec` in PHP, or similar for other languages) for every argument that originates from user input. Update all command examples to reflect this necessity, e.g., `bun run calendar.ts create --summary "$(shlex.quote user_summary)" ...`. | LLM | SKILL.md:72 | |
| MEDIUM | Unpinned npm dependency version Dependency 'open' is not pinned to an exact version ('^10.1.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/sheldenshi/google-calendar-master/scripts/package.json | |
| LOW | Unpinned Dependencies in package.json The `package.json` file uses caret (`^`) ranges for dependencies (`open`, `@types/node`). While `package-lock.json` provides exact versions, using caret ranges in `package.json` means that `bun install` could potentially fetch newer, untested, or even malicious minor/patch versions if the lockfile is ignored or deleted. This introduces a slight supply chain risk as the exact versions are not strictly enforced at the `package.json` level. Consider pinning dependencies to exact versions in `package.json` (e.g., `"open": "10.2.0"`) to ensure deterministic builds and prevent unexpected updates. Alternatively, ensure that the `package-lock.json` (or `bun.lockb`) is always used and kept up-to-date. | LLM | scripts/package.json:9 | |
| INFO | Presence of `run-applescript` dependency The skill indirectly depends on `run-applescript` via the `open` and `default-browser` packages. `run-applescript` allows execution of arbitrary AppleScript commands, which is a powerful capability. While its current use (opening a URL for OAuth) does not appear to be directly exploitable by user input, the presence of such a dependency in the chain introduces a potential attack surface if a vulnerability were found in `open`, `default-browser`, or `run-applescript` that allowed injection of malicious AppleScript. Regularly review dependencies for known vulnerabilities. If possible, consider alternatives that do not rely on highly privileged system command execution for basic functionality, or ensure that the usage context strictly limits any potential for injection. | LLM | scripts/package-lock.json:100 |
Scan History
Embed Code
[](https://skillshield.io/report/11138267d90fd57e)
Powered by SkillShield