The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts/download_attachments.py file is vulnerable to path traversal. It constructs file paths using the filename property from email attachments (outdir / fn) without sanitization, potentially allowing an attacker to overwrite arbitrary files on the host system if the agent processes a specially crafted email.
[PROMPT_INJECTION]: The skill facilitates indirect prompt injection by ingesting untrusted data from Gmail messages into the agent's context.
Ingestion points: Gmail API message retrieval in scripts/list_messages.py and scripts/download_attachments.py.
Boundary markers: Absent; email content is processed as raw data without delimiters or explicit safety instructions to ignore embedded commands.
Capability inventory: The skill provides the ability to write files to the local file system and send outgoing emails via the Gmail API.
Sanitization: None; attachment filenames and email bodies are used directly in file system and API operations without filtering or validation.
[COMMAND_EXECUTION]: The scripts/oauth_cli.py script requests the https://www.googleapis.com/auth/calendar.events OAuth scope, which is unrelated to the skill's primary purpose of managing emails and violates the principle of least privilege.
[COMMAND_EXECUTION]: Several scripts contain hardcoded absolute paths pointing to the author's local environment (C:/Users/mz038/...). While this identifies the author, it represents poor configuration management that can lead to path resolution failures or unintended behavior on different user systems.

google-email