Gmail Secretary

Security checks across malware telemetry and agentic risk

Overview

This Gmail assistant mostly does what it says, but it needs review because it uses hardcoded Gmail/keyring defaults and stores private email-derived data locally.

Install only if you intend this skill to access the configured Gmail account through gog. Set your own GOG_ACCOUNT, avoid the default keyring password, review generated label files before applying them, and delete or restrict cached inbox and voice-reference files if you do not want email content retained locally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The script hard-codes both a Gmail account identifier and a default keyring password, creating a dangerous fallback path for accessing real user email data. In a skill that operates on Gmail, embedding credential-adjacent defaults materially increases the chance of unauthorized mailbox access and silent operation against a specific person’s account.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: This script mines up to 50 sent emails, extracts body content, and persists representative snippets into a local voice reference file. That behavior expands the skill from triage/drafting into profile-building from historical communications, which creates a privacy-sensitive data store not disclosed by the stated skill purpose and could expose confidential content despite partial redaction.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The script hardcodes and exports a default keyring password ("openclaw") for Gmail access. A built-in fallback secret materially weakens credential protection because anyone with access to the environment or the expected setup can unlock the keyring without user consent, and this is unrelated to safe inbox triage functionality.

Natural-Language Policy Violations

Medium

Confidence: 90% confidence
Finding: The file hard-codes a specific individual's communication style and signature details for generated drafts without any indication of user opt-in, identity confirmation, or per-message consent. In a Gmail triage assistant, this can cause the agent to impersonate the user in a fixed voice and leak personal profile cues or signatures into drafts, increasing privacy, authenticity, and misrepresentation risks.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script silently sets a default keyring password via an environment variable, embedding a predictable secret value in code. In a Gmail automation context, this weakens protection around stored credentials and can allow anyone with code access or local process/environment visibility to unlock the gog keyring without user awareness.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script immediately queries Gmail sent-mail data and prepares a persistent output file without any user-facing notice, consent check, or disclosure in the file itself. Accessing personal mailbox history in the background is risky in this context because users may reasonably expect triage assistance, not undisclosed archival profiling of prior correspondence.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script reads credential-related environment variables but supplies an insecure default password value, which undermines the security boundary around the keyring. A predictable default secret can allow unintended decryption or access in environments where the variable is not explicitly set, especially dangerous for a Gmail-integrated assistant handling sensitive communications.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script retrieves inbox contents and stores raw Gmail message data in a local cache file under a predictable path. This creates a confidentiality risk because sensitive email metadata and possibly content may persist on disk longer than intended, where other local users, processes, backups, or later tasks could access it.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The script extracts and writes structured email summaries including sender, subject, snippet, dates, and identifiers to a local JSON file. Even though this is less sensitive than full raw messages, it still exposes potentially private communications and creates a durable artifact that can be read or exfiltrated by other software on the host.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal