Recipe Create Vacation Responder

Security checks across malware telemetry and agentic risk

Overview

This recipe is transparent about changing Gmail vacation-responder settings, but it can enable broad automatic replies with a hardcoded message and no actual date range.

Review this before installing or running it. Edit the auto-reply subject/body, confirm the Gmail account, set real start and end dates if supported by the gws command, and choose whether replies should be limited to contacts or domain users before enabling it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill changes Gmail account state by enabling an auto-responder and can send automatic replies to external recipients because both restrictToContacts and restrictToDomain are set to false. Without an explicit warning, confirmation step, or safer defaults, a user may unintentionally broadcast absence information and alternate contact details to anyone who emails them.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal