gmail
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill provides a high-impact surface for Indirect Prompt Injection (Category 8) by processing external untrusted data with privileged tools.
- Ingestion points: The
readcommand (via scripts/gmail.ts) fetches full email bodies, and thelistcommand fetches snippets and headers. - Boundary markers: Absent; there are no delimiters or instructions to ignore embedded commands in the processed emails.
- Capability inventory: Possesses write/delete capabilities including
send,send-md,draft, anddelete(for calendar events). - Sanitization: No sanitization or filtering logic is documented for the ingested email content.
- [Data Exposure] (HIGH): The skill accesses sensitive local configuration files and private communication (Category 2).
- Evidence: It reads credentials from
~/.config/google-skill/credentials.jsonand stores authentication tokens in.claude/google-skill.local.json. - [Command Execution] (MEDIUM): Uses
npx tsxto execute local TypeScript scripts for all operations (Category 4/10). - Evidence: All primary functions are implemented via calls to
npx tsx ${CLAUDE_PLUGIN_ROOT}/scripts/gmail.ts.
Recommendations
- AI detected serious security threats
Audit Metadata