Se Gmail Monitor

Security checks across malware telemetry and agentic risk

Overview

This Gmail skill matches its stated purpose, but it needs review because it can read business inboxes and send email with broad, partly conflicting approval rules.

Install only if you are comfortable giving the agent access to Gmail app passwords for the configured accounts. Before use, restrict the config to least-privilege accounts, disable unattended sending, and require explicit approval for every outbound email, especially during heartbeat or automated checks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The description authorizes broad email tasks such as checking, sending, scanning, and triage, making the skill easy to invoke in many contexts without tight user intent verification. For a skill with access to real inboxes and outbound email, overly broad invocation language increases the chance of unintended access, overreach, or misuse by an agent acting autonomously.

Natural-Language Policy Violations

High

Confidence: 98% confidence
Finding: The rule stating that the Boris account can send operational/internal emails freely explicitly authorizes autonomous outbound messaging without user approval. Any autonomous send capability from a real organizational account can be abused for impersonation, phishing, disclosure of sensitive information, or operational mistakes that affect staff, clients, or partners.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script can send email immediately based only on CLI arguments, with no confirmation, dry-run mode, recipient validation, or explicit user acknowledgement. In an agent skill that may be invoked during automated workflows or heartbeats, this increases the risk of accidental outbound messages, data leakage, or unintended external communication.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal