Back to skill

Security audit

Tmp.RQhII45DXr

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Google Drive MCP skill that enables expected Drive management actions, but users should treat it as powerful because it can affect files, sharing, permissions, and comments.

Install only if you are comfortable letting the configured MCP server operate on the selected Google account's Drive. Before approving actions, verify the exact file or folder, destination, and permission target, especially for delete, move, replace, share, unshare, or comment modification operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger description is extremely broad ("any Drive operation" and a wide range of related actions), which increases the chance the skill is invoked for ambiguous requests without clear user intent. Because the skill exposes file management, sharing, deletion, and permission-changing capabilities, unintended invocation could lead to privacy-impacting or destructive actions being prepared or executed in the wrong context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The tool list includes operations that can expose data, alter access, overwrite content, or delete comments/permissions, but the skill description does not warn about these risks or indicate that confirmation should be obtained first. In a Drive-management context, missing warnings make accidental data exposure, unauthorized sharing changes, and destructive modifications more likely, especially when combined with broad invocation conditions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.