Skills
skills/team-attention/plugins-for-claude-natives/gmail/Gen Agent Trust Hub

gmail

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
  • PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection from processed email data.
  • Ingestion points: Untrusted data enters the agent context through scripts/read_message.py (email body) and scripts/list_messages.py (snippets).
  • Boundary markers: Absent. There are no instructions in SKILL.md or the scripts to wrap external content in delimiters or to ignore instructions embedded within the emails.
  • Capability inventory: The skill possesses significant capabilities including sending emails and creating drafts (scripts/send_message.py), and modifying, trashing, or archiving messages (scripts/manage_labels.py). Additionally, scripts/read_message.py can write files to the local disk.
  • Sanitization: Absent. The skill does not sanitize email content or attachment filenames. The use of att['filename'] in read_message.py to construct a local file path (save_path / att['filename']) presents a high-severity path traversal risk if an email contains a malicious filename.
  • CREDENTIALS_UNSAFE (MEDIUM): The skill handles sensitive OAuth credentials. scripts/setup_auth.py stores refresh tokens in the accounts/ directory as JSON files. While necessary for persistent Gmail access, these files represent a local credential exposure risk.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 08:45 PM