google-workspace

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The code routes OAuth flows through a third‑party cloud function and explicitly POSTs refresh tokens to a remote URL (default: google-workspace-extension.geminicli.com), which is a clear data‑exfiltration/credential‑theft pattern; otherwise there is no obfuscated payload, remote shell, eval/exec, or hidden persistent backdoor code.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's workspace.js helper explicitly calls Google Workspace APIs (e.g., docs.documents.get, drive files.list, gmail messages.get) and SKILL.md instructs the agent to "use workspace.js call" and post-process the returned JSON, so it fetches user-generated third-party content (Docs/Drive/Gmail) that the agent will read and could contain instructions that influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill will auto-run npm install at runtime (installDependencies), which fetches packages from the npm registry (e.g. https://registry.npmjs.org) and then requires/executes those modules in-process, meaning remote code is fetched and executed.