gmail-checker

Security checks across malware telemetry and agentic risk

Overview

This Gmail skill does what it says, but it gives an agent broad email read, send, and mailbox-change power without clear confirmation safeguards.

Install only if you are comfortable giving the agent Gmail read, send, and modify access. Use the narrowest OAuth scopes possible, avoid refresh tokens unless needed, revoke tokens when finished, and require the agent to confirm exact recipients, message body, attachments, external research sources, and label/read-state changes before acting.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill is presented as a Gmail REST API integration, but it explicitly instructs the agent to perform arbitrary web search and page fetching with other tools before composing email content. This broadens the skill's effective capability beyond the declared scope, increasing the chance of prompt-driven data exfiltration, unreviewed browsing, or unintended access to unrelated external sites.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The documented use of general-purpose web_search, xurl, or curl is not necessary for core Gmail operations and gives the skill a wider network reach than users would expect from a mailbox-management tool. In context, this makes prompt injection and data leakage more plausible because the agent may retrieve and incorporate content from arbitrary websites into outbound email workflows.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases are broad everyday language such as 'check my email' and 'reply to', which can increase accidental invocation of a high-privilege skill that can read mailbox contents or send messages. In an agent environment, overbroad triggers raise the risk of unintended access, unintended email transmission, or invocation by ambiguous conversational context.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill lacks a clear warning that it will access mailbox contents and transmit email data to Gmail APIs, despite handling sensitive communications and potentially attachments. Without explicit disclosure, users may not realize the privacy impact of invoking the skill, especially when combined with broad triggers and optional research features.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal