Google Drive Share File

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it tells an agent how to share a Google Drive file with the gog CLI, but users should confirm the exact recipient and permission before use.

Install only if you intend to let the agent help manage Google Drive sharing through gog. Before any command runs, confirm the exact file or folder ID, recipient email, permission role, and whether public access is intended; prefer reader access unless broader permissions are necessary.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The activation condition is overly broad and directly instructs the agent to share a Drive file whenever sharing is needed, without requiring confirmation of recipient, scope, role, or whether public exposure is intended. In an agentic setting, this can lead to unintended disclosure of sensitive documents to external users or to overly permissive sharing based on ambiguous prompts.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill omits any warning that sharing a Drive file can expose private or regulated data to other users or the public, and the examples normalize permission changes without highlighting risk. Because the skill is specifically designed to modify access controls on cloud-hosted content, lack of disclosure and confirmation materially increases the chance of accidental data leakage.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal