Trust Assessment
google-workspace received a trust score of 67/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Unpinned npm package dependency, Arbitrary file write via drive.downloadFile, Broad access to Google Workspace services.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned npm package dependency The skill's setup instructions use `npm install -g @presto-ai/google-workspace-mcp` and `npx @presto-ai/google-workspace-mcp` without specifying a version. This means that future executions could pull the latest version of the package, which might contain malicious code, vulnerabilities, or breaking changes introduced by a supply chain attack. It's crucial to pin dependencies to specific versions to ensure reproducibility and security. Pin the `@presto-ai/google-workspace-mcp` package to a specific, known-good version (e.g., `npm install -g @presto-ai/google-workspace-mcp@1.2.3`). Update the `mcporter config add` command to also reference the pinned version if `npx` is used to execute it, or ensure `npx` uses the globally installed pinned version. | LLM | SKILL.md:29 | |
| HIGH | Arbitrary file write via drive.downloadFile The `drive.downloadFile` tool allows specifying an arbitrary `localPath` for downloaded files. If an attacker can influence the `localPath` argument (e.g., through prompt injection into the LLM), they could instruct the skill to write files to sensitive system locations (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) or to publicly accessible directories, potentially leading to data exfiltration, system compromise, or denial of service by overwriting critical files. Implement strict validation and sanitization for the `localPath` argument within the `google-workspace-mcp` tool. Restrict downloads to a designated, sandboxed directory (e.g., `/tmp/skill_downloads/`) and prevent directory traversal (e.g., `../`). | LLM | SKILL.md:70 | |
| MEDIUM | Broad access to Google Workspace services The skill provides access to a wide range of powerful Google Workspace functionalities, including Gmail (search, send, modify), Calendar (create, update, delete events), Drive (search, download), Docs, Sheets, Chat, and People. While the user explicitly grants these permissions via OAuth, the LLM, once authorized, gains extensive access to sensitive personal and organizational data across these services. A compromised LLM could potentially misuse these broad permissions to read, modify, or exfiltrate a significant amount of user data. Clearly document the full scope of Google Workspace permissions requested during the OAuth flow. Advise users to grant only the minimum necessary permissions if possible, or to use a dedicated, restricted Google account for skill execution. Consider if the skill's core functionality truly requires access to all 49 listed tools, and if a more granular permission model could be implemented in the underlying library. | LLM | SKILL.md:100 |
Scan History
Embed Code
[](https://skillshield.io/report/0d33e90f6591dfb8)
Powered by SkillShield