ClawHub

Gmail Enhanced

Security checks across malware telemetry and agentic risk

Overview

This Gmail skill does what it claims, but it deserves review because it can send and modify email automatically and stores long-lived Gmail access tokens on disk.

Install only if you are comfortable granting broad Gmail read, send, label, and modify access. Protect the credential and token files, use a low-risk mailbox first, review saved rules before running process_rules, avoid broad auto-reply rules, and download attachments only into a controlled directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises capabilities that involve environment access, local file reads/writes, and network communication, but it does not declare permissions or clearly scope those behaviors for users. In a Gmail automation skill, those capabilities enable access to OAuth credential files, token files, downloaded attachments, and outbound email/API actions, so the missing permission disclosure weakens informed consent and review.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The feature set includes auto-reply rules, auto-categorization, and automated processing that can send messages or modify mailbox state, but the description does not warn users about those side effects. That omission is risky because users may enable automation without understanding it can send emails, relabel messages, archive content, or otherwise change account state at scale.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The attachment-handling section states that attachments can be downloaded locally or extracted to cloud storage, but it does not warn about the sensitivity of downloaded email content or the risk of moving files to external storage. In this context, attachments may contain confidential data or malware, so silent download/export behavior materially increases exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to store credentials.json and tokens.json in environment-configured or default filesystem locations without warning that these OAuth artifacts are highly sensitive. If exposed through weak permissions, backups, logs, or other tooling, they can enable unauthorized access to the user's Gmail account with the granted scopes.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The rule processor can automatically label, mark read, archive, and auto-reply to emails in bulk with no confirmation, dry-run mode, audit log, or sender safeguards. In an agent skill context, this materially increases the chance of unsafe autonomous mailbox changes, accidental replies to attackers, or destructive workflow behavior triggered by broad queries.

Session Persistence

Medium
Category
Rogue Agent
Content
## Prerequisites

1. Enable Gmail API in Google Cloud Console
2. Create OAuth 2.0 credentials
3. Download credentials.json
4. Generate tokens.json (run once with authentication)
Confidence
82% confidence
Finding
Create OAuth 2.0 credentials 3. Download credentials.json 4. Generate tokens.json (run once with authentication) ## Configuration ```bash export GMAIL_CREDENTIALS_PATH="/path/to/credentials.json" ex

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal