Gmail Draft Email

Security checks across malware telemetry and agentic risk

Overview

This is a narrow Gmail helper that creates drafts through the local gog CLI and does not show hidden code, persistence, or unrelated behavior.

Install only if you trust the local `gog` CLI and have it connected to the Gmail account you intend to use. Review recipients and message content before asking an agent to create drafts, especially for sensitive or confidential material.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill directs an agent to transmit recipient addresses, subject lines, and message bodies to Gmail via the external `gog` CLI, but it provides no user-facing notice, consent check, or data-sensitivity guardrail before doing so. In agentic workflows, this can cause unintended disclosure of personal, confidential, or regulated information because the agent may draft messages containing sensitive content without the user understanding that the data is being sent to an external service.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal