Google Contacts Search

Security checks across malware telemetry and agentic risk

Overview

This is a narrow Google Contacts search skill, but users should understand it relies on a Composio API key and an external `gog` tool to access contact data.

Before installing, confirm you trust the `gog` binary and the Composio account connection it uses. Grant only the Google Contacts access needed for search, keep `COMPOSIO_API_KEY` secret, and monitor or stop the workflow if retries continue after failures.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill manifest requires a sensitive credential (COMPOSIO_API_KEY) but the visible skill description and body do not clearly disclose that the skill will use an external account-linked API or explain the security/privacy implications. This creates a real transparency and consent problem: users may authorize or run the skill without understanding that contact data access depends on a sensitive secret and may involve third-party handling of personal address-book information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal