Back to skill

Security audit

Gmail

Security checks across malware telemetry and agentic risk

Overview

This Gmail skill is coherent, but it can read, send, modify, and trash email through a third-party gateway with limited safety guidance.

Review this skill before installing if you use Gmail for sensitive personal or business mail. Only use it if you trust Maton with proxied Gmail access, keep the API key private, choose the intended Gmail connection explicitly, and require manual review before any send, draft-send, label modification, or trash operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents destructive Gmail operations such as trashing messages without any warning, confirmation guidance, or discussion of user-data impact. In an agent setting, this increases the risk that an agent may delete or modify mailbox content on a user's behalf without sufficiently explicit consent or safeguards.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation exposes message-sending and draft-sending capabilities without warning that outbound emails will be sent as the authenticated user. In an autonomous or semi-autonomous agent workflow, this can lead to unauthorized or unintended communications, impersonation, or reputational harm if the agent sends mail without clear user approval.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises reading and managing Gmail through a third-party network gateway but does not prominently warn that mailbox contents and metadata will transit an external service. This omission is privacy-relevant because users may not realize sensitive emails, threads, labels, and account metadata are being accessed and proxied outside the native Gmail environment.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
import urllib.request, os, json
data = json.dumps({'app': 'google-mail'}).encode()
req = urllib.request.Request('https://ctrl.maton.ai/connections', data=data, method='POST')
req.add_header('Authorization', f'Bearer {os.environ["MATON_API_KEY"]}')
req.add_header('Content-Type', 'application/json')
print(json.dumps(json.load(urllib.request.urlopen(req)), indent=2))
EOF
Confidence
80% confidence
Finding
os.environ["MATON_API_KEY"]

Env Variable Harvesting

High
Category
Data Exfiltration
Content
python <<'EOF'
import urllib.request, os, json
req = urllib.request.Request('https://gateway.maton.ai/google-mail/gmail/v1/users/me/messages')
req.add_header('Authorization', f'Bearer {os.environ["MATON_API_KEY"]}')
req.add_header('Maton-Connection', '21fd90f9-5935-43cd-b6c8-bde9d915ca80')
print(json.dumps(json.load(urllib.request.urlopen(req)), indent=2))
EOF
Confidence
80% confidence
Finding
os.environ["MATON_API_KEY"]

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_resource_identifier

Example code exposes a concrete connection_id instead of a placeholder.

Critical
Code
suspicious.exposed_resource_identifier
Location
SKILL.md:103