add-gmail

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly asks the user to paste their GCP OAuth JSON (which contains client_id/client_secret) and instructs writing it to disk, meaning the LLM would receive and handle secret values verbatim — a high exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill contains multiple high-risk abuse vectors — blind merging of an external git repo, running remote npm packages via npx, instructing the user to paste OAuth JSON into the conversation and to bypass OAuth verification, and mounting OAuth credentials into a container while registering an agent channel that can read/send emails — together these enable supply-chain remote code execution and easy credential theft/data exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly adds a Gmail channel that polls and reads arbitrary incoming emails (Phase 1: "Full channel mode: the agent listens on Gmail", Phase 3/4 setup and verification steps showing inbox polling and tools), meaning untrusted, user-generated third-party email content is ingested and can trigger/shape the agent's actions and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs npx -y @gongrzhe/server-gmail-autoauth-mcp (which fetches and executes remote npm package code at runtime) and instructs adding/merging the git remote https://github.com/qwibitai/nanoclaw-gmail.git (pulling external code into the project), so external content is fetched and executed as a required dependency.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill instructs merging external code into the repo, modifying container and service configuration, writing OAuth credentials, running npx autorun tools and restarting user/system services — and even tells the user to bypass the "app isn't verified" OAuth warning — all of which change machine state and include a security-bypassing step.