add-gmail
Fail
Audited by Snyk on Jun 19, 2026
Risk Level: CRITICAL
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The prompt explicitly asks the user to paste their GCP OAuth JSON (or provide its path) and includes shell commands that write the JSON verbatim into files, which forces the agent to handle and output sensitive credential values directly.
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 0.90). This skill grants persistent programmatic read/write access to a user's Gmail (via an external npx MCP), instructs mounting OAuth credentials into a container, and explicitly tells the user to bypass Google "unverified app" warnings — together these patterns enable high-risk data exfiltration and account abuse if misused.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.95). In Channel Mode, the runtime email polling/triggering reads outsider-authored email body text (from Gmail messages created by other people) and injects it into the agent prompt via
prompt = ... <body>${email.body}</body>before callingrunEmailAgent, which then feeds that prompt into the LLM context.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill invokes remote code at runtime via npx (e.g., "npx -y @gongrzhe/server-gmail-autoauth-mcp"), which will fetch and execute a third-party package that the skill depends on for Gmail MCP functionality.
Issues (4)
W007
HIGHInsecure credential handling detected in skill instructions.
E006
CRITICALMalicious code pattern detected in skill scripts.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata