gmail

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The code deliberately routes OAuth credentials (authorization tokens and refresh tokens) through an external cloud function (https://google-workspace-extension.geminicli.com) — including POSTing refresh tokens to that endpoint and using that service as the OAuth redirect/handler — which exposes sensitive tokens to a third party and constitutes credential exfiltration/remote access risk; otherwise the rest of the code is standard Gmail API client behavior.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and reads user emails from Gmail (see SKILL.md commands and scripts/gmail.py search/get_message) — these are untrusted, user-generated third‑party messages that the agent ingests and can act on (send replies, create drafts, modify labels), so third‑party content could indirectly inject instructions.