google-workspace-setup
Warn
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to download and run the
google-workspace-mcppackage usingnpx -yat runtime. This package is hosted on npm and sourced from a third-party repository (github.com/taylorwilsdon/google_workspace_mcp) which is not among the verified or trusted organizations. - [REMOTE_CODE_EXECUTION]: Running
npx google-workspace-mcpallows for the execution of remote code on the user's machine. While intended to facilitate a connection to Google Workspace, this pattern grants execution rights to an unverified third-party package. - [COMMAND_EXECUTION]: The skill uses shell commands (
npx) and potentially other MCP tools to interact with the file system and network during the setup and testing phases. - [DATA_EXFILTRATION]: The skill accesses and processes highly sensitive data, including private emails, calendar events, and documents. It creates a local credential file at
System/.gmail-oauth-token.json. While the skill claims data is summarized and discarded, the access scope includes broad read/write permissions for Google services. - [PROMPT_INJECTION]:
- Ingestion points: The skill reads external data from emails (sender, subject, keyword) and Google Docs into the agent's context.
- Capability inventory: The skill has capabilities to write configuration files, execute shell commands, and send emails via the MCP server.
- Boundary markers: The instructions do not specify any delimiters or safety markers to differentiate between system instructions and the untrusted content fetched from Gmail or Google Docs.
- Sanitization: No sanitization or validation of the ingested email or document content is required by the instructions before it is processed by the agent.
Audit Metadata