gog-restricted

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed wrapper for an existing Google Workspace CLI that limits risky Gmail and Calendar actions rather than adding hidden behavior.

Install this only if you trust the underlying gog CLI and are comfortable giving an agent controlled access to Gmail and Calendar data. Prefer a profile-local install directory on PATH so the wrapper is scoped to the intended agent environment, and review label or trash operations before allowing them on real mail.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill exposes shell-capable behavior via installation and wrapper execution instructions, but no explicit permissions declaration is present. In an agent environment, undeclared shell capability weakens policy enforcement and can lead to the skill being granted broader execution ability than reviewers or runtime controls expect.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal