Google Services Secure

Security checks across malware telemetry and agentic risk

Overview

This skill fits its Google Workspace purpose, but it overstates security controls while persisting OAuth tokens and showing raw write-capable Google API commands without enforced safeguards.

Review carefully before installing. Use least-privilege Google OAuth scopes, avoid putting secrets in shell startup files, do not rely on the advertised enterprise controls as enforced, treat $HOME/.google-oauth-token as sensitive persistent account access, and manually confirm any write-capable Google API command before running it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (12)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The document claims tokens are stored securely in memory, but examples rely on bearer tokens in shell environment variables, which may persist in shells, process environments, and user startup files. This inconsistency can lead to token leakage through history, debugging, inherited environments, or multi-user host inspection.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The skill claims dangerous operations require explicit confirmation and that read-only mode is the default, yet the examples show immediate mutating API requests with no enforcement layer. Users may assume the skill blocks unsafe operations when in reality copied commands can send mail, upload files, or create events directly.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The documentation promises complete audit logging, but the examples bypass any logging component and invoke Google APIs directly. This creates a false sense of accountability and can leave sensitive actions untracked, undermining incident response and compliance expectations.

Intent-Code Divergence

Low

Confidence: 92% confidence
Finding: The file advertises rate limiting as a built-in safeguard, but the shown operations are unrestricted direct requests with no throttling mechanism. This is risky because users may unintentionally exceed API quotas or enable abusive automation while believing limits are enforced.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The skill states that emails, file IDs, and parameters are sanitized, but later examples interpolate variables directly into requests and file paths without validation. In practice this can enable malformed requests, dangerous local file writes, or injection into downstream tooling when untrusted values are used.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The document makes contradictory security claims by stating tokens are never written to files while also allowing a token file secured with chmod 600. This inconsistency can mislead operators into believing file-based token persistence is safe or expected, increasing the chance of insecure credential handling and weakening incident response assumptions.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The guide claims tokens are not stored in files, but the audit section instructs users to grep local directories for access_token and refresh_token. That contradiction undermines trust in the security model and may normalize token presence on disk, which could expose credentials through backups, logs, or local compromise.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The script exports OAuth access and refresh tokens into the shell environment and explicitly instructs the user to echo them. Environment variables are commonly exposed to child processes, shell history/debugging, process inspection in some contexts, and accidental logging, which undermines the stated credential-isolation claim.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: On token exchange failure, the script prints the full OAuth server response directly to stdout/stderr. Error payloads can contain sensitive details, reflected request parameters, or troubleshooting data that may be captured in terminal logs, CI logs, or support transcripts.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The connectivity test tells users to check API key validity and OAuth credentials, but the request never uses GOOGLE_API_KEY, GOOGLE_CLIENT_ID, or GOOGLE_CLIENT_SECRET. This creates a false sense of security: operators may believe credentials are verified when the script only confirms that a public Google endpoint is reachable.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The backup example downloads remote Drive content and writes it to local storage using filenames derived from remote data, without strong warning or sanitization. This can overwrite local files, create unsafe filenames, or cause unintended bulk data exfiltration to disk.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script writes the full OAuth response, including sensitive tokens, to a local file without an explicit warning or additional safeguards beyond chmod 600. Local secret storage increases risk of compromise through backups, home directory syncing, shared accounts, accidental disclosure, or later misuse if the file persists longer than expected.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal