add-gmail

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly asks the user to paste their GCP OAuth JSON (which contains client_id/client_secret) and instructs writing it to disk, meaning the LLM would receive and handle secret values verbatim — a high exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The GitHub URL is an untrusted/unknown-user repository that the skill explicitly instructs you to add and merge into your codebase (high risk of introducing malicious code), while console.cloud.google.com is the legitimate Google Cloud Console and not itself suspicious — overall this set is high-risk because of the unverified GitHub remote/merge instruction.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly adds a Gmail channel that polls and reads arbitrary incoming emails (Phase 1: "Full channel mode: the agent listens on Gmail", Phase 3/4 setup and verification steps showing inbox polling and tools), meaning untrusted, user-generated third-party email content is ingested and can trigger/shape the agent's actions and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs npx -y @gongrzhe/server-gmail-autoauth-mcp (which fetches and executes remote npm package code at runtime) and instructs adding/merging the git remote https://github.com/qwibitai/nanoclaw-gmail.git (pulling external code into the project), so external content is fetched and executed as a required dependency.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill instructs merging external code into the repo, modifying container and service configuration, writing OAuth credentials, running npx autorun tools and restarting user/system services — and even tells the user to bypass the "app isn't verified" OAuth warning — all of which change machine state and include a security-bypassing step.