Back to skill

Security audit

Gmail Lead Desk

Security checks across malware telemetry and agentic risk

Overview

This is a Gmail workflow skill that clearly discloses email access through AISA and mostly limits risky actions with user confirmation.

Install only if you are comfortable giving this workflow access to Gmail through AISA. Use it in draft-first mode, review recipients and message bodies before sending, confirm any batch archive/label action carefully, and avoid enabling advanced Gmail tools or attachment uploads unless the user explicitly asks for that specific action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documentation broadens permitted actions from a stated draft-first lead-desk workflow to effectively any Gmail tool, including send, label modification, and batch operations. That creates scope creep between the manifest and implementation guidance, increasing the chance an agent or operator performs higher-risk mailbox actions the user did not expect, such as sending emails or bulk-changing messages.

Context-Inappropriate Capability

Low
Confidence
77% confidence
Finding
Attachment upload support extends the skill beyond the described lead-desk workflow and introduces an additional data egress path. Even if intended for convenience, attachments can increase the risk of accidental disclosure or sending sensitive files when the core skill description does not clearly require that capability.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises OAuth-based Gmail access, scanning unread messages, summarizing threads, drafting replies, and archiving, but it does not clearly warn users that the skill will access and process potentially sensitive email content. Because this is customer support and sales workflow automation, the messages may contain personal, financial, or confidential business information, so omission of a privacy notice can lead to uninformed consent and unsafe deployment.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.