Is billylui/calendar-scheduling safe?

The .mcp.json configuration launches the MCP server via 'npx -y @temporal-cortex/[email protected]'. This downloads and executes code from the npm registry controlled by a third party at every MCP server startup. The package runs with full access to the user's environment variables, filesystem, and stored OAuth credentials. While the version is pinned to 0.4.1, the security of this skill is entirely dependent on the integrity of the @temporal-cortex npm publisher. A compromised publish event to a future version (when users update) or a supply chain attack on the pinned version would grant full calendar access and credential exfiltration capability.

SKILL.md prominently advertises a managed cloud alternative where users configure their MCP client to point at https://mcp.temporal-cortex.com/sse with a Bearer API token obtained by signing up at https://app.temporal-cortex.com. Users who adopt this mode route all 11 MCP tool calls — including list_events, get_availability, book_slot, and all OAuth credential usage — through an external service not operated by the skill author and not auditable by the user. The cloud mode is presented as the easier path ('no local setup required'), increasing adoption risk.

OAuth tokens for Google Calendar, Microsoft Outlook, and CalDAV are stored at ~/.config/temporal-cortex/credentials.json after authentication. This file is readable by any process running as the same user, including other installed skills, malicious agents, or compromised tools. Exfiltrating this file would grant full calendar read/write access to all connected providers without requiring additional authentication.

configure.sh, setup.sh, and status.sh are executable scripts with meaningful system access. setup.sh launches browser-based OAuth flows via npx and writes the resulting tokens to disk. configure.sh reads user timezone input (validated by regex [A-Za-z0-9/_+-]+) and writes it using inline python3 -c invocations. status.sh parses credential files directly. These scripts are not auto-executed during install but could be invoked by an agent in an automated context.

An agent with this skill can silently enumerate a user's full schedule via list_events and get_availability. The get_availability tool with privacy='opaque' (the default) reveals busy/free blocks across all connected calendars without disclosing which specific calendar or event is responsible. This allows covert schedule surveillance — determining when a target is in meetings, available, or traveling — without leaving obvious traces in the calendar system itself.

When the MCP server starts via npx, the @temporal-cortex/cortex-mcp process inherits the user's full environment including any API keys, tokens, or secrets present in environment variables. The .mcp.json passes TIMEZONE and WEEK_START but the npm package itself can read any env var in the process environment. Combined with its filesystem access (for reading ~/.config/temporal-cortex/credentials.json), the package has a broad attack surface if compromised.

The book_slot tool accepts an optional attendees array of email addresses. When invoked, calendar invitations are sent to all listed addresses. A manipulated agent could use this to send calendar invitations to arbitrary email addresses (including reconnaissance of valid addresses, initiating contact from a trusted user's calendar account, or calendar spam) without explicit per-send user confirmation.

PATH audit records confirm that .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json were opened and read at timestamps 1771921849.722 (38ms after the audit baseline command, before git clone) and 1771921876.427 (post-install, during the audit framework's post-scan phase). Both access clusters align exactly with audit framework lifecycle phases rather than any skill-spawned process. Canary integrity monitor confirms files unmodified and no content exfiltration detected in network traffic.

The entire security posture of this skill depends on @temporal-cortex/cortex-mcp behaving as documented. The skill author (billylui) does not control this package. If the temporal-cortex npm account were compromised, if a future version update introduced malicious behavior, or if the package already contains undocumented capabilities, all calendar data and OAuth tokens would be at risk. The npm audit was not performed during this assessment, so the package's dependency chain is unknown.

Two ESTABLISHED connections to Ubuntu infrastructure (185.125.188.58:443, 91.189.91.48:443) were active before and during the install audit. These are unrelated to the skill (Ubuntu Advantage / motd-news connections) and were present in the BEFORE snapshot. They are noted for completeness and do not represent skill-induced network activity.

SKILL.md contains two external URLs (https://app.temporal-cortex.com for account signup, https://mcp.temporal-cortex.com/sse for cloud MCP endpoint) presented as opt-in configuration alternatives. These are not instructions for the agent to autonomously fetch URLs; they are user-directed setup instructions. However, in a multi-skill environment, a different skill could potentially use these URL references to redirect an agent's MCP configuration.