gmcli
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Unverifiable Dependencies] (MEDIUM): The skill instructs the user to install the global NPM package '@mariozechner/gmcli'. This package is not from a trusted source or organization, presenting a risk of supply chain attack or execution of unverified code.
- [Indirect Prompt Injection] (LOW): The skill allows the agent to read untrusted email content using 'gmcli thread', which creates a vulnerability if an attacker sends an email containing malicious instructions. • Ingestion points: Gmail email content via 'gmcli thread' command output. • Boundary markers: None. • Capability inventory: Sending emails, searching, and managing labels/drafts. • Sanitization: No sanitization of email body content is specified before processing by the agent.
- [Data Exposure] (LOW): The skill creates and accesses sensitive files in '~/.gmcli/', specifically OAuth credentials and account tokens. While standard for this tool's operation, these are high-value targets for exfiltration by other malicious skills.
Audit Metadata