Gmail Auto Draft

Security checks across malware telemetry and agentic risk

Overview

This Gmail drafting skill is coherent, but it needs review because it can continuously read private email, send message content to an AI endpoint, and modify mailbox state.

Install only if you are comfortable granting Gmail modify/compose access and sending selected email contents to the configured AI backend. Use a test mailbox first, narrow the Gmail query, keep --mark-read off until validated, protect token.json and API keys, and review every draft before sending.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill declares no permissions while clearly requiring access to environment variables, local files, network services, and mailbox-related operations. This mismatch undermines informed consent and review, because a user may invoke the skill without understanding it can read credentials, contact external LLM endpoints, and write draft-related state.

Description-Behavior Mismatch

Low

Confidence: 87% confidence
Finding: The documentation frames the workflow as 'draft-only' and 'review-safe', but exposed options include '--mark-read', which changes mailbox state. Even though this is not direct message sending, it can still hide unread emails or alter operational workflows, making the safety claims incomplete and potentially misleading.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The skill description is broad enough to match many generic email-assistance requests, which increases the chance of over-invocation in contexts where reading inbox content or drafting replies is unnecessary or too sensitive. Because the skill processes live email and can contact an LLM backend, ambiguous triggering expands the risk of unintended data exposure and mailbox modifications.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation recommends enabling `--mark-read` in production, which changes mailbox state by marking unread messages as read, but it does not clearly warn users about the operational consequences. In an email-monitoring skill, this can cause users to miss messages, break triage workflows, or interfere with other automations that depend on unread status.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The setup explicitly instructs users to run a continuous polling loop that monitors Gmail and creates drafts on an ongoing basis, but it does not clearly warn that this will repeatedly modify the user's mailbox state. In a Gmail automation skill, silent or insufficiently disclosed continuous account interaction increases the risk of unintended draft creation, processing of sensitive messages, and operational surprises for the account owner.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The setup asks operators to provide OAuth client secrets, Gmail account access, profile data, and model credentials, and it states that OAuth tokens will be stored locally, but it does not include a clear warning that these files grant significant access to the mailbox and related services. This omission can lead to insecure handling of sensitive credentials and underestimation of the consequences of token theft or accidental disclosure.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The Gmail search query is broad enough to capture many unrelated inbound emails containing generic business phrases like "looking for" or "can you help." In the context of an auto-draft workflow that reads message contents and generates AI replies, this can cause unintended processing of non-target emails, increasing privacy exposure and creating inappropriate draft responses to ordinary correspondence.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script sends full email bodies plus sender-identifying metadata to an external OpenAI-compatible endpoint to generate drafts. That creates a real privacy and data-handling risk because potentially sensitive inbox content is disclosed to another service, and the default endpoint may be user-configurable or remote.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The script performs state-changing mailbox actions automatically: it creates drafts, applies labels, and can mark messages read. In an automation context, insufficiently prominent disclosure and confirmation can lead to unintended handling of user mail and operational mistakes at inbox scale.

Ssd 3

Medium

Confidence: 92% confidence
Finding: Untrusted inbound email content is inserted verbatim into the LLM prompt, so a sender can embed instructions that influence the generated draft. This can cause the model to include sensitive details, follow attacker-authored framing, or generate manipulative responses that appear to come from the mailbox owner.

Ssd 1

Medium

Confidence: 96% confidence
Finding: This is a classic prompt-injection surface: attacker-controlled email text is concatenated into the same context used to instruct the model how to write the reply. Because the model is generating outbound content on behalf of the user, malicious email content can steer tone, content, next steps, or disclosure in the resulting draft.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal