google-chat

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The code intentionally routes OAuth through and sends refresh tokens to an external cloud function (google-workspace-extension.geminicli.com), thereby exposing long-lived credentials to a third party (potential credential exfiltration); no hidden eval/exec, reverse shells, obfuscation, or other backdoor RCE patterns were found.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and reads user-generated chat messages from Google Chat via scripts/chat.py (get_messages/api_request -> chat.googleapis.com/v1/.../messages) and the SKILL.md/README describe "Read Messages" and "Get messages from a space", so untrusted third-party content (other users' messages) can be ingested and influence subsequent actions (e.g., sending messages or creating spaces).