gmail-manager

Functionally, the skill correctly describes Gmail management workflows and the Rube MCP tool calls. The primary security concern is the architectural choice to proxy all Gmail operations through a third-party broker (app.rubeai.io) using a single bearer token (RUBE_API_KEY). This centralizes access and increases supply-chain risk: compromise of the key or Rube backend could enable full mailbox read/write/delete and data exfiltration. There is also risk from the availability of bulk destructive actions without enforced technical confirmations. There is no direct evidence of malware or obfuscation in the provided documentation itself, but the design requires strong operational controls (least-privilege scopes, per-action consent, auditing, token rotation) before deployment in sensitive environments. Recommend treating this as medium risk unless Rube's security posture and token scoping are validated and enforced.