add-gmail

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt asks the user to paste their GCP OAuth JSON (or a file path) and provides commands that embed that JSON verbatim (here-doc EOF or cp with the provided path), which requires the LLM to handle and output secret values directly, creating an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This integration guide requires pasting/placing OAuth credentials and mounting them into a container, grants an agent full read/send Gmail access, instructs the user to run remote npx packages and to bypass "unverified app" warnings — collectively creating strong opportunities for data exfiltration and supply-chain/RCE abuse.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill ingests and processes arbitrary incoming Gmail messages (via the Gmail MCP @gongrzhe/server-gmail-autoauth-mcp) — see checkForNewEmails()/startEmailLoop() and runEmailAgent() which build prompts from email body/subject — so it consumes untrusted, user-generated third‑party content as part of its workflow.