Skills
skills/mitsuhiko/agent-stuff/google-workspace/Gen Agent Trust Hub

google-workspace

Warn

Audited by Gen Agent Trust Hub on Feb 22, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFEPROMPT_INJECTIONNO_CODE
Full Analysis
  • [CREDENTIALS_UNSAFE] (MEDIUM): The skill manages highly sensitive Google OAuth tokens (access and refresh tokens). These are stored in the local file system at ~/.pi/google-workspace/. While standard for local helper tools, these files represent high-value targets for local data exfiltration and persistent account access.
  • [NO_CODE] (MEDIUM): The file scripts/common.js is missing. This is a critical omission as it contains the primary logic for authorize(), token management, scope formatting, and configuration loading. Without this file, it is impossible to verify if the skill implements secure token storage or if there are hidden exfiltration patterns within the authentication flow.
  • [DYNAMIC_EXECUTION] (MEDIUM): The workspace.js script implements a dynamic method resolver in resolveMethod. It allows the agent to call any method within the googleapis SDK by providing a service name and a string-based method path (e.g., drive.files.delete). This provides a broad 'gadget' that could be exploited if the agent is manipulated into executing destructive commands or accessing sensitive administrative endpoints.
  • [PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) due to its core function of reading untrusted data from Gmail, Google Drive, and Docs.
  • Ingestion points: cmdDriveSearch, cmdGmailSearch, and generic callApi results in workspace.js ingest external content into the agent's context.
  • Boundary markers: Absent. The scripts return raw JSON results without delimiters or instructions to the agent to ignore embedded commands.
  • Capability inventory: The skill possesses extensive capabilities, including reading, writing, and deleting data across the entire Google Workspace via the generic call command.
  • Sanitization: No sanitization or filtering of API responses is performed before returning data to the agent.
  • [EXTERNAL_DOWNLOADS] (SAFE): The package.json specifies official and well-maintained dependencies (googleapis, @google-cloud/local-auth) from the Google Cloud ecosystem.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 22, 2026, 07:24 PM