gcp-workspace-pivot

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes code and shell examples that print and embed service account private keys and OAuth access tokens (e.g., printing delegated_creds.token and using Bearer tokens in curl), which requires handling secret values verbatim and thus is insecure.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is an explicit offensive playbook instructing how to misuse GCP Service Accounts and Domain‑Wide Delegation to impersonate users, exfiltrate Gmail/Drive/Calendar/Admin data, create persistent backdoors (new DWD, admin accounts, OAuth apps, forwarding/filters, App Script), and avoid detection—i.e., deliberate malicious/abuse behavior.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's required workflow (SKILL.md and references/workspace-post-exploit.md) explicitly instructs generating delegated OAuth tokens and calling Gmail/Drive/Calendar/Admin APIs (e.g., curl and Python examples) to fetch and parse user-generated emails, files, and calendar entries from target Workspace domains, which are untrusted third-party content that the agent must read and can materially influence subsequent actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt instructs writing service-account keys to disk and explicitly to modify the google-cloud-sdk config.py to inject OAuth scopes (i.e. edit local SDK files), which are direct modifications of the host state and thus push the agent to compromise the machine.