Gmail Label Manager

Security checks across malware telemetry and agentic risk

Overview

This Gmail organizer can change mailbox state and, if configured, forward sensitive email details to Telegram and create calendar events without those behaviors being clearly disclosed in the skill instructions.

Review carefully before installing. Do not run this on a real inbox unless you are comfortable with automatic Gmail changes, have a rollback plan for archived or mislabeled messages, understand the gog OAuth scopes, and have removed or tightly limited Telegram forwarding and automatic calendar creation. The calendar command construction should also be fixed before use because crafted email content may affect shell execution.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Intent-Code Divergence

High

Confidence: 92% confidence
Finding: The header claims the script classifies and processes Gmail, but the implementation also exfiltrates email-derived content to Telegram and creates calendar events. This mismatch is security-relevant because users may grant Gmail access expecting local automation, while the script silently forwards private content and mutates other services.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The script is designed to bridge Gmail, Telegram, local files, and Google Calendar, creating broad cross-service data movement from highly sensitive email content. In an agent skill context, that materially increases risk because one permissioned workflow can leak medical, family, financial, and security data into multiple destinations without granular consent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill description states that it will add and remove Gmail labels and archive emails, but it does not prominently warn users that it will modify message state and remove messages from the inbox. This can lead to unintended mailbox changes, missed important emails, and user surprise, especially if the skill is run automatically or incorporated into a pipeline.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The Telegram sender posts email-derived messages to an external service without any per-message confirmation, redaction, or sensitivity check. Because handlers include previews and extracted details, this can leak confidential content, including health, financial, school, and account-security information, to a third party and anyone with access to the Telegram chat.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script automatically creates calendar events based on parsed email content with no validation or user approval. This can cause integrity issues such as spammy or misleading calendar entries, and in sensitive contexts may expose private medical, school, or travel details into a shared calendar.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script modifies Gmail state by applying/removing labels and archiving messages automatically, which can hide important emails or interfere with incident response and recordkeeping. Since classification is content-based and imperfect, attacker-crafted emails could be mislabeled or archived without user awareness.

Ssd 3

High

Confidence: 98% confidence
Finding: The logging and Telegram functions persist and transmit sensitive summaries derived from emails to local files and an external chat platform. Local digest/log files can be read by other users or backups, and Telegram export extends exposure beyond the original mailbox with little control over retention or downstream access.

Ssd 3

High

Confidence: 97% confidence
Finding: These handlers explicitly build outbound notifications containing email previews, sender names, subjects, and personal relationship context. That is dangerous because even short previews can disclose private correspondence, family matters, and other sensitive content to Telegram and local digest files without need-to-know restrictions.

Ssd 3

High

Confidence: 99% confidence
Finding: The handlers extract and relay highly sensitive medical, school, financial, travel, and account-security data from emails into Telegram, local digests, and calendar entries. In this context, the danger is amplified because the script processes a personal mailbox and aggregates intimate household data, creating a centralized exfiltration and persistence channel for categories that are especially sensitive and potentially regulated.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal