The Agent Skills Directory

COMMAND_EXECUTION (MEDIUM): The skill instructs the agent to execute a local JavaScript file (gmailcli.js) using Node.js to perform all operations, which involves executing code on the host system via a command-line interface.
CREDENTIALS_UNSAFE (MEDIUM): Setup instructions direct the user to store GMAIL_CLIENT_ID, GMAIL_CLIENT_SECRET, and base64-encoded OAuth tokens in a .env file at the repository root. This exposes sensitive authentication secrets and session tokens to any process with read access to the file system.
DATA_EXFILTRATION (MEDIUM): The skill provides the agent with full access to the user's email history and contact list. While this is necessary for the skill's function, it creates a risk of data exfiltration if the agent is manipulated or compromised, as it also has the capability to send outgoing emails.
PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection from untrusted data contained in email bodies and subjects.
Ingestion points: Untrusted data enters the agent context through the read, list, and search commands executed via gmailcli.js in SKILL.md.
Boundary markers: Absent; the skill does not provide instructions to use delimiters or to treat retrieved email content as untrusted.
Capability inventory: The agent has the ability to send emails, create drafts, and list all contacts via the node command.
Sanitization: Absent; the skill does not specify any sanitization, validation, or escaping of email content before it is processed by the agent.

use-gmail