gmail-skill
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [INDIRECT_PROMPT_INJECTION] (HIGH): High risk of adversarial instructions entering the agent's context through external data.
- Ingestion points: The skill reads untrusted data from email bodies and contact details via
gmail_skill.py read,search, andcontactscommands. - Boundary markers: There are no explicit boundary markers or instructions to treat email content as data rather than instructions in the provided command documentation.
- Capability inventory: The agent has the power to
sendemails, createdraftmessages, and modify email states (mark-read,star,archive), which are high-privilege side effects. - Sanitization: No mention of content sanitization or instruction filtering for the ingested email text.
- [DATA_EXFILTRATION] (HIGH): While no hardcoded exfiltration URL is present, the capability to read all emails and then send emails to arbitrary addresses provides a direct path for data exfiltration if the agent is compromised via prompt injection.
- [COMMAND_EXECUTION] (MEDIUM): The skill relies on executing a local Python script (
gmail_skill.py) through the Bash tool. This introduces risk if the script does not properly sanitize arguments or if the script itself is tampered with. - [CREDENTIALS_UNSAFE] (MEDIUM): The skill documentation instructs the user to store sensitive OAuth
credentials.jsonand resultingtokens/in a predictable local directory (~/.claude/skills/gmail-skill/). While not hardcoded, these files are high-value targets for other malicious processes on the system. - [EXTERNAL_DOWNLOADS] (LOW): The skill requires several external Python dependencies (
google-api-python-client,requests, etc.). While these are from trusted sources, they represent a standard supply chain risk.
Recommendations
- AI detected serious security threats
Audit Metadata