Back to skill

Security audit

Gmail (tc)

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Gmail integration, but it asks for persistent Gmail OAuth access and can send or modify email without enough provenance or safety guardrails.

Install only if you trust the publisher and are comfortable granting Gmail access. Use a dedicated OAuth client with the narrowest Gmail scopes possible, protect the refresh token like a password, revoke it when finished, and require a final human review before any email is sent, attachment is included, draft is created, or mailbox labels are changed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This skill enables access to mailbox contents and the ability to send outbound email, but the description and usage guidance do not prominently warn users that it can read sensitive communications, attachments, and metadata or send messages on their behalf. In an agent setting, missing consent and privacy warnings increases the risk of unintended data exposure, unauthorized email actions, and social-engineering amplification through trusted email accounts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.