The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill manages sensitive Google OAuth2 credentials and long-lived refresh tokens (token.json). The documentation in SKILL.md provides instructions for exporting these secrets as base64-encoded environment variables (GMAIL_CREDENTIALS, GMAIL_TOKEN), which increases the risk of accidental exposure in execution logs or shared environments.
[COMMAND_EXECUTION]: The authentication management scripts (accounts.mjs and auth.mjs) use child_process.execSync to perform system actions like opening the default web browser and invoking other Node.js scripts.
[DATA_EXFILTRATION]: The skill possesses a broad file-read capability via the --attachments argument in send.mjs, reply.mjs, and draft.mjs. The _mime.mjs utility uses fs.readFileSync to load these files. This allows the agent to read arbitrary local files and transmit them externally as email attachments.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection because it ingests untrusted content from the user's Gmail messages and provides the agent with high-privilege capabilities (sending emails and reading local files).
Ingestion points: Email bodies and headers are retrieved and processed in read.mjs, list.mjs, and search.mjs.
Boundary markers: No delimiters or safety instructions are used to distinguish between the agent's instructions and the content of the emails being read.
Capability inventory: The skill can send emails (send.mjs, reply.mjs), manage drafts (draft.mjs), and read local files for attachments.
Sanitization: The skill performs basic HTML stripping in _mime.mjs, but does not sanitize or validate natural language instructions found within email content.

gmail