Gmail

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Gmail integration skill, but users should treat it as delegated access to their Gmail account through MorphixAI.

Install only if you trust MorphixAI and the openclaw-morphixai plugin. Link only the Gmail account you intend to delegate, review the granted scopes, and require clear confirmation before the agent sends email or moves messages to trash.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill documents a `send_mail` capability but does not clearly warn that using it causes the agent to send email as the user. In an agent setting, this can lead to unauthorized or socially engineered outbound messages, privacy breaches, or reputational harm if the user does not understand the delegation and identity implications.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill exposes `trash_message` but does not clearly warn users that this is a destructive action that moves mail to trash and may cause data loss or missed communications. In an agent-driven workflow, ambiguous documentation increases the chance that a user or downstream agent triggers deletion without appreciating the consequence.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal