The Agent Skills Directory

[CREDENTIALS_UNSAFE] (HIGH): The auth.py script utilizes a 'hosted OAuth' flow via https://ezagentauth.com. This non-standard authentication proxy encourages users to paste a Base64-encoded JSON blob containing sensitive refresh_token and client_secret values into the CLI. This design pattern is highly susceptible to credential harvesting by the domain owner.
[DATA_EXFILTRATION] (HIGH): The authentication architecture serves as a vector for exfiltrating persistent Google Workspace credentials. By requesting extremely broad scopes (Gmail modify, Drive, Calendar, Contacts, Chat) and routing the authorization through an untrusted intermediary, the skill compromises the entire Workspace environment.
[PROMPT_INJECTION] (LOW): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted data from various sources which is then interpreted by the agent.
Ingestion points: gmail.py (read email), docs.py (get content), drive.py (download file content), slides.py (extract text).
Boundary markers: Absent. The scripts return raw text content to the agent without delimiters or warnings to ignore embedded instructions.
Capability inventory: The agent possesses high-impact capabilities including gmail.py send, gmail.py bulk-trash, docs.py replace, and drive.py delete (via drive.py metadata/management), allowing an injected instruction to perform unauthorized actions.
Sanitization: Absent. There is no filtering or escaping of content retrieved from the Google Workspace APIs before it is interpolated into the agent's context.

ez-google