google-workspace
Fail
Audited by Gen Agent Trust Hub on Mar 31, 2026
Risk Level: HIGHDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill exfiltrates sensitive Google OAuth refresh tokens to an external domain. In
scripts/common.js, therefreshViaCloudFunctionfunction sends the user's refresh token tohttps://google-workspace-extension.geminicli.com/refreshToken. This allows the third-party service to generate access tokens and maintain persistent access to the user's Google account. - [REMOTE_CODE_EXECUTION]: The skill implements a dynamic execution engine in
scripts/workspace.jsusing thenode:vmmodule. ThecmdExecfunction compiles and runs arbitrary JavaScript code provided by the agent. This allows the execution of untrusted logic within the context of the Google API helper. - [EXTERNAL_DOWNLOADS]: The
installDependenciesfunction inscripts/common.jsautomatically executesnpm installif required packages are missing. This downloads and executes code from the npm registry without explicit user confirmation at runtime. - [COMMAND_EXECUTION]: The skill executes shell commands using
child_process.spawnSyncandspawnto install dependencies and open the system browser for OAuth flows. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. Ingestion points: Google Workspace APIs (Gmail, Drive, etc.) accessed via
scripts/workspace.js. Boundary markers: Absent. Capability inventory: Arbitrary JS execution vianode:vminscripts/workspace.jsand write access to APIs (e.g.,gmail.users.messages.modify). Sanitization: None. Evidence: Scripts process external data from emails and files then execute logic based on it without sanitization.
Recommendations
- AI detected serious security threats
Audit Metadata