add-gmail
Fail
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill repeatedly executes code from an unverified NPM package (
@gongrzhe/server-gmail-autoauth-mcp) usingnpx -y. This package is responsible for handling Gmail authentication and serving as the core MCP integration, but it does not originate from a trusted organization or well-known service. - [CREDENTIALS_UNSAFE]: The instructions guide users to download sensitive Google Cloud OAuth secrets (
gcp-oauth.keys.json) and store them in~/.gmail-mcp/. These credentials, along with generated access tokens (credentials.json), are processed and potentially modified by the unverified third-party MCP tool. - [INDIRECT_PROMPT_INJECTION]: The 'Channel Mode' implementation creates an autonomous loop that fetches unread emails and feeds their content directly into the agent's prompt, creating a high-risk attack surface.
- Ingestion points: Incoming email content is fetched via the
checkForNewEmailsfunction defined insrc/email-channel.tsandSKILL.md. - Boundary markers: The skill uses simple XML-style tags (
<email>,<body>) insrc/index.tsto wrap content, which can be easily escaped by a malicious sender. There are no instructions to the agent to ignore embedded commands within the email body. - Capability inventory: The agent runner is configured with high-privilege tools including
Bash,Read,Write, andEdit, as well as full Gmail access (sending, searching, and reading emails). - Sanitization: No sanitization, escaping, or filtering is performed on the
email.bodycontent before it is interpolated into the prompt insrc/index.ts. - [COMMAND_EXECUTION]: The skill performs extensive file system modifications and service restarts using Bash commands, including modifying application source code (
src/index.ts,src/container-runner.ts) and database schemas, which could lead to system instability if not carefully monitored.
Recommendations
- AI detected serious security threats
Audit Metadata