Is calendly-api safe?

https://clawhub.ai/byungkyu/calendly-api

74
CAUTION

This Calendly API skill is a documentation-only integration that proxies all requests through a third-party service (Maton). While it contains no executable code or traditional malware indicators, it creates significant trust-boundary concerns by routing all API credentials and scheduling data through maton.ai, normalizes inline code execution via numerous Python heredoc examples, and cross-promotes additional skills from the same author. Filesystem monitoring detected reads of sensitive files (.ssh/id_rsa, .docker/config.json) during installation, though these may be attributable to the VM environment rather than the skill itself.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (10)

HIGH All data routed through third-party proxy (maton.ai) -25

Every API call is proxied through gateway.maton.ai rather than going directly to api.calendly.com. This gives Maton full visibility into all Calendly data including user emails, scheduling data, organization details, and meeting contents. The MATON_API_KEY grants access to all services connected through Maton, not just Calendly.

HIGH Sensitive file access during installation -25

Filesystem monitoring detected reads of SSH private key (.ssh/id_rsa), Docker credentials (.docker/config.json), and local calendar data during the skill installation process. While these could be from the VM's desktop environment initialization rather than the skill itself, the access pattern is concerning.

MEDIUM Cross-skill promotion enables skill chaining -15

The skill description explicitly promotes loading another skill (api-gateway) from the same author with a direct ClawHub URL. This creates a trust escalation path where installing one 'safe' skill leads to loading additional skills with potentially broader permissions.

MEDIUM Inline code execution normalized in skill instructions -15

The skill contains 20+ inline Python code blocks using heredoc patterns that the agent is expected to execute. While these are API call examples, they train the agent to accept and execute arbitrary inline code as a normal part of using this skill, lowering the barrier for code injection via prompt manipulation.

MEDIUM OAuth session tokens exposed in API responses -10

The connection management API returns OAuth session URLs containing session tokens. If an agent logs or displays these, the tokens could be captured by observers or stored in conversation history.

MEDIUM Webhook creation enables persistent data exfiltration -20

The skill allows creating webhook subscriptions with arbitrary callback URLs. An attacker could instruct the agent to create a webhook pointing to an attacker-controlled server, enabling persistent exfiltration of all scheduling events without needing ongoing access.

MEDIUM Destructive actions available (cancel events, delete connections) -20

The skill provides capabilities to cancel scheduled events and delete OAuth connections, which could be weaponized through prompt injection or skill chaining to cause real-world disruption to a user's calendar.

LOW No executable code files in repository -5

The skill contains only documentation (SKILL.md), metadata files, and a license. No executable scripts, npm packages, git hooks, submodules, or symlinks are present.

LOW JIT compilation activity during install -5

Files were created in /tmp/jiti/ during installation, suggesting a JIT compilation process. This is likely from the ClawHub installer rather than the skill itself, but indicates code execution during the install phase.

INFO All canary files intact 0

Honeypot files (.env, SSH keys, AWS credentials) were not modified during the audit. While .ssh/id_rsa was read (likely by the VM environment), it was not altered.