Is h8kxrfp68z-lgtm/icalendar-sync safe?

The skill.yaml contains an explicit comment acknowledging that cached metadata or a prior version claimed no credentials were required, despite credentials being mandatory. This is a direct admission of having previously deceived the security review pipeline by hiding the credential requirement. Hiding credential requirements is a known technique to lower the perceived risk of a skill during automated scanning.

The version history shows a concentrated effort to pass automated security scanning rather than deliver functional improvements. Versions 2.2.3 through 2.3.0 were published in approximately 1.6 days (143,285 seconds). Changelog entries for multiple versions are dedicated exclusively to addressing scanner-specific issues: metadata format, security documentation, re-indexing, and credential declaration. This pattern indicates adversarial awareness of the scanning system and deliberate manipulation of it.

The repository includes install.sh and SKILL.md instructs users to run it directly ('bash ./install.sh'). The oathe audit system installed via copy-only, so the script was never executed during this audit. The file was read by the source auditor (auditd record 852) but its full content is not present in the provided evidence, leaving a gap in safety verification. Malicious install scripts are a primary delivery vector for skills that otherwise appear clean.

The skill requires an iCloud app-specific password and connects with full principal access to caldav.icloud.com, granting read/write access to all calendars. Calendar data exposes meeting schedules, attendees, locations, and personal commitments. The skill provides no scoping or minimum-privilege model — it requests access to all calendars. Credentials can also be supplied via plain environment variables (ICLOUD_APP_PASSWORD), which are often logged or visible in process listings.

Filesystem monitoring detected reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials. However, critical context establishes these were not caused by the skill: (1) accesses occurred at audit timestamp 1771904145.059, approximately 5 seconds before the git clone began at 1771904150.493; (2) the skill had not yet been installed when these reads occurred; (3) canary integrity confirmed all files intact. This pattern is consistent with the oathe platform seeding honeypot files at monitoring initialization. Recorded as a finding for completeness.

The 'setup' command (permissions: [admin]) interactively prompts for iCloud email and app-specific password and stores them in the system keyring. When this skill is injected into an agent's system prompt, an adversarial user prompt or a malicious co-installed skill could chain a 'setup' invocation, causing the agent to prompt the user for credentials outside the expected flow or collect them in a misleading context.

The publisher username 'h8kxrfp68z-lgtm' combines an apparent random hash prefix with '-lgtm' (Looks Good To Me). This naming pattern is atypical for legitimate skill authors and is consistent with a purpose-built account designed to mock or signal awareness of approval workflows.

The reviewed Python source (calendar.py, i18n.py, init.py, main.py, translations_extended.py) implements rate limiting (10 calls/60s), credential redaction in logs via SensitiveDataFilter, SSL verification enforcement, input validation on calendar names including path traversal prevention, and JSON file size limits. These are defensive measures consistent with a legitimate security-conscious implementation.