Back to skill

Security audit

Tmp.XUCqN5AiCi

Security checks across malware telemetry and agentic risk

Overview

The skill is a real Gmail-management integration, but it gives an agent broad email and account-setting authority without enough built-in scoping or safety guidance.

Review this before installing if you use Gmail for sensitive personal or business mail. Only authorize the account you intend to expose, and require explicit confirmation for permanent deletion, forwarding, delegates, forwarding settings, filters, send-as, vacation responders, watch notifications, tracking, and any action that sends or downloads message content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill metadata says it includes only auth and Gmail tools, but the documented `gog_gmail_run` capability reaches into advanced account settings such as filters, delegates, forwarding, send-as, vacation, watch, and tracking. This is a scope-expansion and misleading-disclosure issue: an agent or user may authorize the skill expecting ordinary mailbox actions while it can also alter account configuration and enable surveillance-like functionality.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Exposing email tracking under a Gmail-management skill introduces a capability that goes beyond ordinary read/write mailbox management and can be used to monitor recipients without clear disclosure. In an agent context, this increases privacy, consent, and abuse risk because users may not realize the skill can perform tracking-oriented actions.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill advertises destructive actions such as archive, trash, mark-read, and especially permanent batch delete without warning about reversibility, scope, or confirmation requirements. In a natural-language agent workflow, bulk actions driven by IDs or queries can cause large-scale unintended mailbox modification or irreversible data loss if invoked ambiguously or maliciously.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
Forwarding messages, downloading attachments, and sending autoreplies all affect message confidentiality or external disclosure, yet the skill provides no privacy or consent warning. In an agent setting, these actions can exfiltrate sensitive content or trigger unintended communications if the user request is ambiguous or manipulated.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.