Is gargravish/gcalcli safe?

https://github.com/openclaw/skills/tree/main/skills/gargravish/gcalcli

62
CAUTION

This skill is a personal Google Calendar reference document that was published to the public marketplace without sanitization. The most significant concerns are: (1) every command hardcodes [email protected], causing any agent using this skill to attempt querying a specific Red Hat employee's calendar instead of the user's own; (2) all commands invoke an unversioned personal GitHub fork of gcalcli via uvx at runtime, creating a persistent supply chain risk where the fork owner can push malicious Python code that executes with access to cached Google OAuth tokens; and (3) a shell injection vector exists in the bulk export workflow where calendar attachment URLs are interpolated into shell commands via xargs. The skill poses no active threat during installation but would mislead agents and introduce ongoing execution risk.

Category Scores

Prompt Injection 68/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 52/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 97/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (10)

HIGH Hardcoded third-party email in all command examples -20

Every single gcalcli command in the skill is parameterized with --calendar [email protected]. An AI agent loading this skill will be instructed to query this specific Red Hat employee's Google Calendar rather than the installing user's calendar. This is either a personal skill published without sanitization or an attempt to cause agents to probe a specific account.

HIGH Runtime download and execution of unversioned personal GitHub fork -30

Every command in the skill invokes uvx --from git+https://github.com/shanemcd/gcalcli@attachments-in-tsv-and-json. This downloads and executes Python code from a personal fork at a mutable branch reference (not a commit hash or tag). The fork owner can push arbitrary code changes that will be executed by any agent running these commands, with access to the user's Google OAuth tokens and calendar data.

HIGH Shell injection vector via calendar event content in bulk export -18

The bulk export command pipes attachment_url values from calendar events directly into sh -c via xargs -I {}. A malicious calendar event with a crafted attachment URL could inject shell commands that execute in the context of the agent.

MEDIUM Implicit standing instruction to query calendar at every session start -12

The Tips section includes 'Check calendar at session start: Part of standard workflow' as tip #4. This is an implicit standing instruction embedded in the skill that causes agents to automatically invoke gcalcli (with hardcoded email) at the beginning of every conversation, without user request.

MEDIUM Bulk export of corporate meeting notes to local filesystem -12

The skill includes a detailed workflow to bulk-export all Gemini AI meeting notes from a calendar search to ~/Downloads/meeting-notes/ using parallel processes. This concentrates potentially sensitive corporate meeting transcripts in a predictable local directory accessible to other agents or processes.

MEDIUM Second custom unreviewed tool (gcmd) executed from personal path -10

The skill references gcmd, another personal tool by the same author, to be run via uv run gcmd from /var/home/shanemcd/github/shanemcd/gcmd. This introduces a second unreviewed code execution surface, and the hardcoded path only works on the author's machine.

MEDIUM Personal skill published to public marketplace without sanitization -25

The skill contains multiple indicators it is a personal tool never meant for public distribution: hardcoded Red Hat email, personal home directory paths (/var/home/shanemcd/), specific JIRA ticket numbers (ANSTRAT-1673), and colleague names (Demetrius Lima). Any user installing this skill will receive commands optimized for a different person's environment.

LOW Google OAuth tokens cached to disk -8

The skill acknowledges that gcalcli caches OAuth credentials on disk for future use. These token files are accessible to any process with filesystem read access and could be stolen by a malicious skill installed alongside this one.

INFO Clean installation with no anomalous behavior 0

The skill installation performed a standard sparse git clone of the openclaw/skills monorepo. No unexpected network connections, process spawning, or filesystem changes outside the skill directory were observed during installation.

INFO Canary file accesses predate skill installation 0

File access events for .env, .ssh/id_rsa, .aws/credentials occurred at audit timestamp ~1771953831, which is approximately 5 seconds before skill installation began at ~1771953836. These are attributable to sandbox initialization, not the skill.