Trust Assessment
gmail-client-PM received a trust score of 82/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Use of Gmail App Password grants excessive permissions, Potential for command injection or data exfiltration through unsanitized user input.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Use of Gmail App Password grants excessive permissions The skill requires `GMAIL_PASS` (App Password) environment variable for authentication. Gmail App Passwords typically grant full access to the associated Gmail account, including reading, sending, deleting emails, and managing contacts. This level of access is often broader than necessary for specific skill functionalities (e.g., listing unread emails or sending a single email), significantly increasing the potential impact if the credential is compromised. A compromised App Password could lead to full account takeover within the scope of the skill's execution environment. Recommend migrating to OAuth 2.0 for Gmail API access. OAuth allows for granular scope definition (e.g., `https://www.googleapis.com/auth/gmail.readonly` for reading, `https://www.googleapis.com/auth/gmail.send` for sending), enabling the skill to request only the minimum necessary permissions. This adheres to the principle of least privilege. | LLM | SKILL.md:10 | |
| MEDIUM | Potential for command injection or data exfiltration through unsanitized user input The skill's usage examples describe direct passing of user-provided arguments (`<EMAIL_ID>`, `<TO>`, `<SUBJECT>`, `<BODY>`) to a Python script (`gmail_tool.py`). If these arguments are not properly sanitized and validated within `gmail_tool.py` before being used in shell commands (e.g., `subprocess.run`) or included in email content, it could lead to command injection (e.g., `read '123; rm -rf /'`) or data exfiltration (e.g., sending sensitive data in the `BODY` to an arbitrary `<TO>` address controlled by an attacker). While the `SKILL.md` itself doesn't perform the injection, it describes the interface that enables it if the underlying script is vulnerable. Implement robust input validation and sanitization for all user-provided arguments within `skills/gmail-client/scripts/gmail_tool.py`. Ensure that arguments are properly escaped or quoted when used in shell commands, and that email content is sanitized to prevent injection of malicious scripts or arbitrary data. For email sending, validate the `<TO>` address against allowed domains or patterns if applicable. | LLM | SKILL.md:23 |
Scan History
Embed Code
[](https://skillshield.io/report/4e2a4eaccc3b41a3)
Powered by SkillShield