ClawHub

Tmp

Security checks across malware telemetry and agentic risk

Overview

This is a broad Google Workspace CLI, but its root skill description under-discloses several sensitive services and tracking behaviors, so users should review it carefully before installing.

Install only if you are comfortable granting a third-party CLI broad Google Workspace authority beyond the root description. Use explicit --services and --readonly or narrower Drive scopes where possible, avoid enabling email tracking unless you understand the privacy/compliance implications, and review any Docs/Slides image import flows that temporarily make local images publicly readable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (60)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill exposes high-impact capabilities including shell, network, environment access, and file writes, but does not declare any permissions or safety boundaries. In an agent setting, this reduces transparency and can allow the skill to perform external actions or handle sensitive local data without explicit user awareness or policy gating.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose says the skill is for Gmail, Calendar, Drive, Contacts, Sheets, and Docs, but the underlying tool apparently supports many additional administrative and collaboration features including credential/token management and broad Google Workspace operations. This mismatch can mislead users and reviewers about the true attack surface, causing overbroad trust and enabling unexpected access to sensitive services or account-management functions.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documentation describes an email-tracking worker that records recipient opens, which is a surveillance capability not justified by the stated Google Workspace CLI scope. This mismatch increases the risk of hidden data collection and makes it easier for a seemingly benign tool to include privacy-invasive behavior without clear user expectation or consent.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The documented `GET /q/<tracking_id>` endpoint returns open data with no authentication, allowing anyone who obtains or guesses a tracking identifier to retrieve recipient engagement information. This exposes sensitive behavioral metadata and can enable unauthorized monitoring, correlation of email activity, and privacy violations.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The document describes an email-open tracking capability that adds recipient surveillance behavior beyond a typical Google Workspace CLI expectation. Even though it is framed as optional instrumentation, it enables covert collection of recipient interaction metadata and therefore creates privacy, compliance, and misuse risk.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The feature depends on external Cloudflare Worker infrastructure and stores IP address, user-agent, and potentially derived geo data, expanding the trust boundary beyond Google Workspace. This increases data exposure, third-party dependency, and compliance risk because recipient metadata is collected and processed outside the primary platform.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This file implements Google Classroom guardian and guardian invitation management, which is materially broader than the skill's declared scope of Gmail, Calendar, Drive, Contacts, Sheets, and Docs. Scope mismatch is dangerous because it can expose or enable sensitive student/guardian data access and destructive actions (such as deleting guardians or creating invitations) that operators and reviewers would not reasonably expect from the published manifest.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This command clearly accesses Google Classroom user profile data via `newClassroomService` and `svc.UserProfiles.Get(userID)`, but the manifest reportedly does not declare Classroom functionality. That mismatch is dangerous because it can hide real capabilities from reviewers and users, causing under-scoped consent/review and unexpected access to educational profile data such as email, identity, and teacher-verification status.

Description-Behavior Mismatch

High
Confidence
89% confidence
Finding
This code enables adding and removing students from Google Classroom courses, which is a privileged administrative action not reflected in the stated skill description. Hidden or undisclosed modification capabilities are dangerous because users or integrators may grant trust or permissions under the assumption the tool only handles less sensitive Workspace apps, leading to unauthorized roster changes if the capability is invoked.

Description-Behavior Mismatch

High
Confidence
90% confidence
Finding
This section adds and removes teachers in Google Classroom, which is more sensitive than read-only access because it changes course authority and access. When such functionality exists outside the advertised product scope, it increases the risk of misuse, surprise privilege escalation in operational contexts, and unsafe trust decisions by users who would not expect teacher-management capabilities from this skill.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This file implements full Google Classroom student submission management, including listing submissions, viewing submission details, turning in, reclaiming, returning, and grading. If the skill's declared manifest scope only describes Gmail/Workspace functionality without clearly including Classroom and grade-management permissions, users and downstream systems may grant broader authority than expected, creating a scope mismatch that can enable unauthorized educational record access or modification.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This file implements full Google Classroom topic management despite the skill metadata describing only Gmail, Calendar, Drive, Contacts, Sheets, and Docs. That mismatch expands the tool's effective permission and capability surface beyond what users and reviewers would reasonably expect, creating a covert functionality risk and undermining informed consent for operations that can modify or delete Classroom resources.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
This is a real destructive logic flaw: the advertised 'delete other contact' path never deletes the specified other contact. Instead it copies the target into My Contacts and deletes the copied regular contact, so the original other contact remains while the command reports success. In a CLI that manages Google contacts, this is dangerous because users and scripts may rely on deletion for privacy/compliance cleanup and silently fail, leaving sensitive contact data in place.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The code uploads local images to Google Drive and then grants them 'anyone/reader' access so the Docs API can fetch them. That materially broadens data exposure beyond a normal local import flow: any imported local image becomes publicly reachable via a URL, even if only temporarily, which can disclose sensitive content if users import private markdown assets.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The command supports email open-tracking via --track and --track-split, but the skill description only presents it as a general Google Workspace CLI. Hidden or under-disclosed tracking functionality is a real security/privacy concern because users may unknowingly deploy surveillance-style behavior that collects recipient engagement data without clear consent or expectation.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
This command prints sensitive operational details for the email-tracking subsystem, including config path, worker URL, worker/database identifiers, and whether an admin key is configured. Even without disclosing the secret itself, exposing this metadata can aid reconnaissance, reveal hidden capabilities beyond normal Gmail CLI behavior, and lower the effort required for follow-on attacks against the tracking backend or local environment.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The command reveals internal tracking infrastructure details such as worker URL, worker name, database name, and database ID that are not required for ordinary Gmail/Workspace usage. In the context of a Google Workspace CLI, this broadens information exposure and can help an attacker map backend services, correlate accounts to tracking resources, or identify targets for abuse.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The status/output path prints the stored webhook token directly to stdout when state.Hook.Token is set. This exposes a live bearer secret to terminals, logs, shell history capture, CI output, or any caller consuming the command output, enabling unauthorized use of the downstream webhook.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The command grants the uploaded image 'anyone' read access in Google Drive to obtain a publicly fetchable URL for Slides insertion. This can expose sensitive local images to anyone with the link, and the user is not clearly warned in this code path that their file will become publicly accessible, even if only temporarily.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This command performs a destructive Google Slides operation by calling the Slides API to delete a slide, but the skill metadata reportedly omits Google Slides. That mismatch is security-relevant because users and reviewers may underestimate the skill's scope and grant or accept broader capabilities than disclosed, enabling unexpected destructive actions against presentation content.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The command uploads a local image to Google Drive and then explicitly grants it 'anyone' read access so Slides can fetch it by URL. That exposes the file outside the user's account boundary, and if the deferred deletion does not occur promptly or the link is logged/shared, the uploaded image may be accessible to unintended parties.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This file implements full Google Tasks list/get/add/update/complete/delete/clear functionality even though the declared skill description only mentions Gmail, Calendar, Drive, Contacts, Sheets, and Docs. That mismatch expands the effective permission and action surface beyond what a user or reviewer would reasonably expect, creating a capability-hiding issue that could enable unauthorized task modification or deletion under the guise of a narrower workspace tool.

Description-Behavior Mismatch

High
Confidence
90% confidence
Finding
This file adds Google Chat API support and requests Chat scopes, while the skill metadata describes only Gmail, Calendar, Drive, Contacts, Sheets, and Docs. That mismatch expands the tool's effective privileges beyond what a user would reasonably expect, creating a risk of unauthorized access to Chat spaces, messages, memberships, and read-state data if the capability is invoked.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
This file instantiates a Google Classroom API client even though the skill manifest reportedly does not declare Classroom functionality. That mismatch can create hidden or undocumented capability, which is risky because users and reviewers may not realize the skill can access Classroom data if the necessary credentials or scopes are available elsewhere.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file creates a Google Forms API client even though the skill manifest reportedly does not declare Forms support. This hidden capability expands the tool's effective access surface beyond what users and reviewers expect, which can undermine consent, auditing, and least-privilege assumptions if OAuth scopes or account routing allow Forms access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal