Persona Exec Assistant

Security checks across malware telemetry and agentic risk

Overview

This executive-assistant skill is coherent, but it can steer an agent to send email from an executive account without a clear approval step.

Review before installing in a real executive workspace. Use least-privilege Google Workspace scopes, inspect the required `gws` utility skills and binary, and enforce a rule that all outbound emails are shown with recipients and full body for explicit approval before sending.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill description is very broad for a high-privilege executive-assistant persona and lacks clear activation boundaries. Because it covers scheduling, inbox, and communications in general terms, the skill could be invoked for a wide range of common requests and steer the agent into acting with sensitive Gmail/Calendar/Chat capabilities without strong scoping or confirmation requirements.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explicitly directs use of `gws gmail +send` to draft replies but does not warn that messages may be sent as the executive or require explicit approval before sending. In an executive-assistant context, this is especially dangerous because the account is high trust; unauthorized or mistaken outbound email could cause impersonation, disclosure of sensitive information, or business-impacting commitments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal