ClawHub

ez-google

Security checks across malware telemetry and agentic risk

Overview

This Google Workspace skill is functional and not clearly malicious, but it needs Review because it grants broad, long-lived Google access through a third-party hosted OAuth flow and includes powerful write, delete, and messaging actions with limited safeguards.

Install only if you are comfortable giving this skill broad access to your Google account and trusting the hosted OAuth service. Prefer a dedicated or low-risk Google account, review Google’s consent screen carefully, avoid bypass flags such as Gmail bulk-trash -y unless you explicitly approved the exact query, and revoke the OAuth grant when you are done.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest and documentation present a narrower feature set than the actual documented commands, omitting Chat messaging capabilities until later in the file. In a security-sensitive skill, incomplete disclosure is dangerous because reviewers and users may approve the skill under false assumptions about accessible data sources and outbound communication channels.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The auth helper requests Google Chat scopes (`chat.spaces.readonly` and `chat.messages`) even though the skill description does not clearly require Chat access. Overbroad OAuth scopes violate least-privilege and increase blast radius: a compromised token or abusive downstream tool could read chat metadata and send chat messages beyond the user’s intended consent.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata advertises Gmail, Calendar, Drive, Docs, Sheets, Slides, and Contacts, but this file implements Google Chat read/send functionality. That creates a scope mismatch where an agent or user may grant broader or different capabilities than expected, increasing the risk of unauthorized message access or message sending in a separate Google product. In an agent-friendly OAuth context, hidden cross-product capabilities are especially risky because users may rely on the manifest description to understand what data and actions the skill can access.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger description is extremely broad and can match almost any Google-related task, increasing the likelihood that an agent invokes the skill in contexts the user did not specifically intend. Because the skill can read, write, delete, and message across multiple Workspace services, over-broad routing materially raises the risk of unauthorized or surprising actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documents destructive and data-modifying commands such as email sending, bulk trashing, label changes, calendar deletion, document edits, sheet writes, and chat sending without clear safety warnings or confirmation requirements. In an agent setting, this can lead to accidental mass data loss, unauthorized communications, or silent modification of business records, especially where commands support bulk or skip-confirmation modes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script defaults to a hosted OAuth endpoint at `https://ezagentauth.com` and opens the browser there without prominently warning that authentication is being brokered by a third-party service. This creates a trust and credential-handling risk because the external service can influence scope presentation, token issuance flow, and potentially gain access to sensitive authorization artifacts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script writes OAuth credentials, including refresh tokens and client secrets, to disk in the user home directory without setting restrictive permissions or clearly communicating the sensitivity of the files. On multi-user or weakly secured systems, these tokens could be recovered and reused for persistent access to Gmail, Drive, Calendar, and other Google data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The delete command performs an irreversible calendar event deletion immediately after receiving an event ID, with no confirmation prompt, dry-run mode, or safeguard against accidental invocation. In an agent-oriented Google Workspace skill, this increases the risk of unintended destructive actions from prompt misunderstanding, bad tool routing, or malicious prompting, causing loss of calendar data or disruption of meetings.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal