skills/harperaa/bastionclaw/add-gmail/Gen Agent Trust Hub

add-gmail

Fail

Audited by Gen Agent Trust Hub on Jun 19, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill repeatedly executes code from an unverified NPM package (@gongrzhe/server-gmail-autoauth-mcp) using npx -y. This package is responsible for handling Gmail authentication and serving as the core MCP integration, but it does not originate from a trusted organization or well-known service.
  • [CREDENTIALS_UNSAFE]: The instructions guide users to download sensitive Google Cloud OAuth secrets (gcp-oauth.keys.json) and store them in ~/.gmail-mcp/. These credentials, along with generated access tokens (credentials.json), are processed and potentially modified by the unverified third-party MCP tool.
  • [INDIRECT_PROMPT_INJECTION]: The 'Channel Mode' implementation creates an autonomous loop that fetches unread emails and feeds their content directly into the agent's prompt, creating a high-risk attack surface.
  • Ingestion points: Incoming email content is fetched via the checkForNewEmails function defined in src/email-channel.ts and SKILL.md.
  • Boundary markers: The skill uses simple XML-style tags (<email>, <body>) in src/index.ts to wrap content, which can be easily escaped by a malicious sender. There are no instructions to the agent to ignore embedded commands within the email body.
  • Capability inventory: The agent runner is configured with high-privilege tools including Bash, Read, Write, and Edit, as well as full Gmail access (sending, searching, and reading emails).
  • Sanitization: No sanitization, escaping, or filtering is performed on the email.body content before it is interpolated into the prompt in src/index.ts.
  • [COMMAND_EXECUTION]: The skill performs extensive file system modifications and service restarts using Bash commands, including modifying application source code (src/index.ts, src/container-runner.ts) and database schemas, which could lead to system instability if not carefully monitored.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 19, 2026, 11:59 AM
Security Audit — agent-trust-hub — add-gmail