Skills
skills/robbowes/dotfiles/google-workspace-admin/Gen Agent Trust Hub

google-workspace-admin

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [REMOTE_CODE_EXECUTION] (CRITICAL): The skill instructs the agent to install the GAM7 CLI by piping a remote script from an untrusted source directly into a bash shell.
  • Evidence: bash <(curl -s -S -L https://git.io/gam-install) -l in SKILL.md.
  • Details: The source git.io is a URL shortener and does not fall within the defined list of trusted repositories or organizations. This pattern allows an attacker to execute arbitrary code on the host system during the installation phase.
  • [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to indirect prompt injection (Category 8) due to its combination of high-privilege capabilities and data ingestion surface.
  • Ingestion points: The skill frequently ingests untrusted data via gam csv <file> and by reading file lists from Google Drive (gam user ... print filelist).
  • Boundary markers: There are no delimiters or boundary instructions provided to help the agent distinguish between administrative commands and potentially malicious instructions embedded in CSV fields or file metadata.
  • Capability inventory: The skill provides a massive capability tier, including user creation, password resets, deletion, remote device wiping, and management of OAuth tokens.
  • Sanitization: No sanitization or validation of input data is defined. An attacker providing a malicious CSV file could exploit the agent's broad permissions to perform unauthorized administrative actions.
  • [COMMAND_EXECUTION] (HIGH): The skill implements powerful administrative commands that can significantly impact the security posture of a Google Workspace domain.
  • Evidence: Commands such as gam update mobile <resource_id> action admin_remote_wipe and gam update user ... password allow for irreversible actions and credential modification.
  • Details: While these are intended functions, the risk is amplified because the skill relies on conversational guards ("Always ask before acting") which are easily bypassed by prompt injection.
  • [DATA_EXFILTRATION] (MEDIUM): The skill facilitates the bulk extraction of sensitive organizational data to external destinations.
  • Evidence: gam print users allfields todrive and gam all users print tokens todrive.
  • Details: These commands export PII and security tokens (OAuth apps) to external files (Google Drive or CSV). If the agent is compromised or misled, this functionality can be used to harvest domain-wide credentials and user data.
Recommendations
  • CRITICAL: Downloads and executes remote code from untrusted source(s): https://git.io/gam-install - DO NOT USE
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 16, 2026, 06:48 AM