Gmail Draft Send

Security checks across malware telemetry and agentic risk

Overview

This skill is narrowly focused and transparent, but it gives an agent direct authority to send Gmail drafts without requiring a final user confirmation.

Install only if you are comfortable with an agent sending Gmail drafts through your local `gog` CLI. Before use, verify the `gog` binary and Gmail account, and require the agent or your workflow to confirm the exact draft ID, recipients, subject, and final body before sending.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs an agent to send an existing Gmail draft directly, with no explicit requirement to obtain fresh user confirmation before performing an irreversible external action. Because sending email can disclose sensitive information, trigger workflows, or cause reputational harm, automatic execution or blind retries materially increases the chance of unintended transmission.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal