Gmail Bridge

Security checks across malware telemetry and agentic risk

Overview

This Google Workspace bridge is coherent, but it can read and modify sensitive Google account data through an external local bridge without clear confirmation or scope boundaries.

Install only if you operate and trust the local bridge. Verify the Google account, OAuth scopes, bridge authentication, and token storage before use; keep it bound to localhost, set a strong bridge secret if supported, and require explicit confirmation before any Sheets write, Calendar creation, or email forwarding action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill documents state-changing actions such as forwarding email, writing Sheets data, and creating Calendar events without requiring explicit user confirmation or warning about side effects. In an agent setting, this can lead to accidental data exfiltration, integrity loss, or unintended external communication, especially since forwarding email can transmit sensitive content to third parties.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal