add-gmail
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill adds a remote git repository from the vendor (https://github.com/qwibitai/nanoclaw-gmail.git) and fetches/merges code into the local project environment.- [REMOTE_CODE_EXECUTION]: Uses
npxto download and execute the package@gongrzhe/server-gmail-autoauth-mcp. This package originates from an unverified third-party user on the NPM registry and is used to handle sensitive OAuth authentication flows.- [COMMAND_EXECUTION]: Orchestrates several shell commands includinggit fetch,git merge,npm install, and service restarts vialaunchctlorsystemctlto apply changes.- [DATA_EXFILTRATION]: Reads and writes sensitive Gmail API credentials and OAuth tokens to the~/.gmail-mcp/directory. While necessary for functionality, this directory is mounted into the agent container, creating a sensitive data surface.- [PROMPT_INJECTION]: Implements a capability to poll and process external email data, which acts as an indirect prompt injection vector. - Ingestion points: Unread emails from the Gmail inbox (monitored in Phase 4).
- Boundary markers: Present; the skill appends instructions to
CLAUDE.mdadvising the agent not to reply to emails automatically. - Capability inventory: Tools for reading, sending, searching, and drafting emails (Phase 1).
- Sanitization: Absent; the skill does not specify any sanitization or filtering of email body content before processing.
Audit Metadata