Back to skill

Security audit

gmailcleanerfall

Security checks across malware telemetry and agentic risk

Overview

The package is advertised as a Gmail reader, but it also includes tools that can delete, move, draft/send, export, analyze, and automate email, so it needs manual review.

Install only if you intend to grant a broad email-management assistant access to your Gmail, not just a reader. Review and limit Google OAuth scopes, avoid --auto and cron cleanup until tested, confirm every send/delete/bulk action, and be aware that email contents may be processed by Anthropic and written to local logs or report files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (43)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares no explicit permissions while instructing use of shell commands, environment variables, OAuth credentials, local token generation, and networked access to Gmail/IMAP. This creates a trust and review gap: operators may approve a seemingly read-only skill without realizing it can access sensitive mailbox data and write authentication artifacts locally.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file materially exceeds the stated skill purpose of reading/searching email by performing bulk LLM-based content analysis and writing derived output files. This scope expansion is security-relevant because it changes the data flow from local email access to external content processing, increasing privacy and compliance risk without being clearly disclosed by the skill metadata.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code sends sender, subject, truncated body content, and attachment filenames to Anthropic, which is an external third-party service unrelated to the narrow advertised function of reading/searching Gmail or IMAP. This creates a real confidentiality risk because potentially sensitive email content leaves the user's environment without clear necessity, minimization, or transparency.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is described as read/search only, but the OAuth scopes include gmail.modify and gmail.compose, granting the ability to alter mailbox state and create/send drafts or messages. This violates least privilege and materially expands the blast radius if the skill, host, or token is abused.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Enabling modification and composition capabilities in an email-reading skill creates hidden authority beyond the stated purpose. In the context of an agent skill, this is especially dangerous because a downstream prompt injection, tool misuse, or token theft could turn read-only access into message tampering or outbound email actions.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file implements Gmail label creation, renaming, and deletion, which are write operations inconsistent with the skill’s stated read/search-only purpose. In an agent context, hidden or undocumented mailbox modification capabilities increase the risk of unauthorized state changes, social engineering of the operator, or accidental destructive actions such as deleting labels tied to mail organization workflows.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill’s scope extends beyond passive email reporting into cross-service export and mailbox state recovery. Exporting email-derived data to Google Sheets/Docs increases data exfiltration and privacy risk, and combining reporting with action-oriented features makes it easier for a broad reporting request to trigger unintended side effects.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The `gog gmail untrash <ID>` command modifies mailbox state, which is not necessary for a reporting/statistics skill. In a skill likely to be invoked for summaries or audits, including a write-capable recovery action creates risk of unauthorized or accidental restoration of messages, potentially interfering with user intent, retention state, or evidence handling.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is described as a scheduler, but the documented behavior includes composing drafts and scheduling email sends. That expands the capability from passive scheduling/reminders into active outbound actions, which can cause unintended or unauthorized communication if invoked under overly broad routing or without explicit confirmation. In an email automation context, hidden send capability materially increases risk.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The documentation includes a direct trashing workflow for spam messages using gog+jq+xargs, but the manifest does not clearly disclose deletion behavior. Destructive operations on email are high-risk because mis-scoped searches, malformed filters, or broad invocation can irreversibly remove messages the user may still need.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file explicitly implements destructive Gmail organization actions such as trash, archive, move, mark read/unread, and delete, which exceeds the stated skill scope of an 'email-reader' that should only read/search mail. In an agent setting, this scope mismatch is dangerous because a caller expecting read-only behavior could unintentionally cause irreversible mailbox changes or loss of emails.

Description-Behavior Mismatch

Critical
Confidence
100% confidence
Finding
The code supports permanent deletion via svc.users().messages().delete(...), which can irreversibly remove user emails. Because the skill is presented as an email reader, this creates a severe trust and capability mismatch that could lead to silent destructive actions, data loss, and abuse if invoked by an agent or prompt chain under false assumptions.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script exports Gmail-derived metadata such as senders and subjects into a user-specified Markdown path, which creates a data exfiltration and unintended persistence risk beyond simple read/search behavior. Because the output path is unrestricted and the content comes from potentially sensitive email data, this can leak private information into arbitrary files, shared folders, synced locations, or repositories.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The module explicitly advertises and implements draft creation, template use, follow-up workflows, and email sending, which materially exceeds the skill's declared read/search-only purpose. This mismatch is dangerous because users or orchestrators may grant permissions or trust assumptions based on the manifest, while the code can perform write-side Gmail actions with real-world consequences.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code creates Gmail drafts through the API, which is a write operation inconsistent with a reader/search skill. In this context, capability creep is security-relevant because an agent expected to only inspect email can instead modify mailbox state and prepare outbound communications that may later be sent.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Email bodies and thread history are sent to Anthropic for response generation, introducing third-party data exfiltration beyond the stated Gmail reading/search purpose. This is especially dangerous because emails commonly contain sensitive personal, business, or regulated data, and the transfer occurs without visible consent, minimization, or policy enforcement in this file.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Template management and follow-up workflow features are not themselves exploit primitives, but they do extend the skill from passive reading into active email-assistant behavior not reflected in the manifest. That discrepancy can mislead users and integrators about the operational scope and trust boundary of the skill.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The docstring openly documents sending emails, managing drafts, templates, and follow-ups, contradicting the declared reader-only positioning of the skill. Such contradiction is security-significant because reviewers or automated systems may approve the skill under an inaccurate capability model while the code performs higher-risk actions.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill is described as a read/search Gmail capability, but this code performs state-changing Gmail operations by calling messages.modify(), removing INBOX and UNREAD labels and adding another label. In an agent setting, this creates a dangerous mismatch between declared capability and actual behavior, which can silently move or mark emails as read and cause loss of visibility over important messages.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
Interactive rule creation and persistence in rules.json extend the skill beyond passive email reading into durable automation that can later change mailbox state. Persistent rules increase risk because a one-time invocation can create ongoing behavior that users may not expect from a read/search skill.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill is presented as an email-reader, but this scheduler analyzes emails, classifies them, and performs destructive actions such as trashing messages. That scope expansion is dangerous because a caller expecting read/search behavior could unknowingly authorize automated modification or deletion of mailbox contents, especially in --auto mode or periodic execution.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The code stores detected prompts from emails via guardar_prompts, which goes beyond simple reading/searching and creates an additional persistence channel for email-derived content. This increases risk of sensitive-data retention and prompt-injection propagation because untrusted email text is being harvested and stored for later use.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The scheduler requires an ANTHROPIC_API_KEY to analyze email content, implying external transmission or processing of mailbox data by a third-party model service. For a skill described as an email-reader, this is a material capability and privacy boundary change that users may not expect, especially when handling potentially sensitive emails.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The module docstring states this is a periodic email agent that reads, analyzes, acts, and notifies, which contradicts the advertised positioning as a reader/search tool. Such misrepresentation is security-relevant because operators may deploy it under weaker assumptions than its actual behavior warrants.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script transmits email thread contents, including senders, dates, and message bodies, to Anthropic for summarization. In the context of an email-reading skill whose stated purpose is read/search, this is a material expansion of data use to a third-party service and creates a real confidentiality and privacy risk, especially because emails commonly contain sensitive personal, business, or credential-related information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
mnt/user-data/outputs/email-manager-v3/email-analyzer/SKILL.md:64