Skills
skills/ticruz38/skills/email/Gen Agent Trust Hub

email

Fail

Audited by Gen Agent Trust Hub on Feb 12, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis

================================================================================

🟡 VERDICT: MEDIUM

This skill provides Gmail integration. The primary security concerns stem from its dependencies. It relies on local file-based dependencies (@openclaw/google-oauth and @openclaw/auth-provider) whose code is not included in this analysis and thus cannot be verified. Additionally, it uses sqlite3, a native Node.js module, which involves downloading pre-compiled binaries or compiling native code, introducing a higher risk than pure JavaScript dependencies. While the skill itself implements good security practices like setting secure permissions for its cache directory and communicating only with trusted Google APIs, the unverified nature of its core dependencies elevates the overall risk.

Total Findings: 3

🟡 MEDIUM Findings: • Unverifiable Local Dependencies

  • package.json, package-lock.json: The skill depends on @openclaw/auth-provider and @openclaw/google-oauth via local file paths (file:../auth-provider, file:../google-oauth). The security of this skill is directly tied to the security of these unverified local dependencies, which are not part of this analysis. • Native Module Dependency
  • package.json, package-lock.json: The skill uses sqlite3, a native Node.js module. Native modules involve downloading pre-compiled binaries or compiling C++ code, which inherently carries a higher risk of arbitrary code execution compared to pure JavaScript dependencies. The prebuild-install mechanism used by sqlite3 fetches pre-compiled binaries, relying on the integrity of those binaries.

🔵 LOW Findings: • Attachment Handling

  • src/index.ts (Line 496): The getAttachment function retrieves raw attachment content as a Buffer. While the skill itself does not mishandle or exfiltrate this data, an agent utilizing this skill would need to implement robust security measures (e.g., malware scanning, secure storage, content sanitization) when processing these buffers to prevent potential vulnerabilities from malicious attachments.

================================================================================

Recommendations
  • Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 12, 2026, 10:12 PM