Back to skill

Security audit

Google Drive based RAG

Security checks across malware telemetry and agentic risk

Overview

This document-chat skill appears useful but needs review because it can recursively copy private Drive files, persist searchable indexes, and send document content and queries to Gemini without clear consent controls.

Install only if you are comfortable with the skill reading the selected Google Drive scope, copying and indexing document contents locally, and sending document text, images, and search queries to Gemini for OCR or embeddings. Prefer using a dedicated low-risk Drive folder, avoid syncing regulated or highly confidential documents, restrict API keys, and confirm there is a clear way to delete the local index and downloaded files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill description promises secure document storage, retrieval, chat, syncing, and use of persistent ChromaDB, but the analyzed behavior reportedly differs in several material ways. Security-relevant mismatches can mislead users and operators about where data is stored, what processing occurs (including OCR/network use), and what actions the skill can actually perform, undermining informed consent and safe deployment.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This code transmits image contents to Google's Gemini API for OCR, meaning user file data leaves the local environment and is sent to a third party. In a skill described primarily as secure document storage/search in Google Drive and local ChromaDB, this is a material data-flow behavior that is not reflected in the stated capability, increasing the risk of undisclosed processing of sensitive documents.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The file adds a Gemini-based image transcription capability that expands the skill's effective behavior beyond simple file retrieval/chat, and it does so by sending file content to an external model provider. In the context of a document-handling skill that claims secure storage and local indexing, this undocumented external processing broadens the attack and privacy surface, especially for images containing confidential text.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The code sends user queries to Google's external embedding API even though the skill description emphasizes secure storage and local persistent retrieval. This creates an undisclosed data egress path for potentially sensitive document queries and makes the implementation materially different from the stated local-only behavior.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
Loading a local .env file to obtain a Gemini API key is not inherently malicious, but it indicates undeclared dependence on an external service. In this skill context, that matters because it expands the trust boundary and supports sending user-derived content off-box without being reflected in the declared purpose.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
Image files are uploaded to a generative Gemini model for OCR, which expands data processing beyond simple local indexing and creates an additional third-party disclosure path for potentially sensitive document content. In a document-storage skill, this is risky because users may reasonably expect retrieval/indexing behavior, not forwarding raw images to a multimodal model service.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The code builds shell command strings and executes them with execSync, incorporating folder IDs, file IDs, and output paths into the command line. Even though these values are expected to come from Google Drive metadata, using shell interpolation creates unnecessary command-injection risk if maliciously crafted values ever enter the flow, and it increases blast radius because the process executes external tools synchronously on the host.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase `sync` is very broad and the README does not describe any activation constraints, confirmation step, or scope checks before performing a potentially high-impact action: recursively downloading, OCR-processing, embedding, and persistently storing documents from Google Drive. In an agent setting, such a generic trigger increases the chance of accidental or contextually inappropriate activation, which could expose or process sensitive files without the user clearly intending a full library sync.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly describes recursively downloading all files, resolving shortcuts, extracting text from files and images via OCR, embedding content, and saving it to a persistent local vector database, but it provides no explicit warning about the sensitivity of this data flow. Because the skill operates on potentially private Google Drive content and creates a local persistent searchable copy, users may not realize the extent of collection, transformation, and retention, increasing the risk of unintended exposure of confidential documents.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Using broad phrases like 'sync', 'flush', or 'update' as triggers can cause the agent to launch a potentially expensive and privacy-sensitive ingestion process on ordinary conversational input. Because syncing traverses Drive content, downloads files, and transmits text for embeddings, accidental invocation can lead to unintended data processing and external exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs downloading a Google Drive file directly into the local workspace without explicitly warning the user that a copy will be written to disk. This can create unintended local persistence of sensitive documents in a shared or inspectable environment, increasing risk of data leakage beyond the original Drive context.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
At this line, the code submits the prompt and image bytes to an external AI service with no visible notice, consent, or data-classification check. Because this skill is intended for stored user documents, the images may contain sensitive personal or business information, making undisclosed third-party transmission a meaningful privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The search query text is transmitted to an external embedding provider with no indication of user notice or consent in the code. Because users may query highly sensitive saved documents, even the query string can reveal confidential intent, names, case details, or regulated information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill transmits document text and image contents to external Gemini embedding/OCR endpoints, which can expose confidential file contents to a third-party AI service. In the context of a Google Drive-backed document assistant, this is especially sensitive because the synced corpus may include private business or personal records, and the code provides no visible consent, minimization, or policy gating.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
sync.js:21