Security Audit

google-drive-automation

github.com/sickn33/antigravity-awesome-skills

AI SkillCommit e36d6fd3b3f6

TRUSTED

Scanned 2 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

google-drive-automation received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Skill exposes tools for broad Google Drive permission management.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Filesystem Write

1 finding

Excessive Permissions

1 finding

Security Findings1

Severity	Finding	Layer	Location
HIGH	Skill exposes tools for broad Google Drive permission management The skill documentation details the use of `GOOGLEDRIVE_ADD_FILE_SHARING_PREFERENCE` with `type='anyone'` and `role='owner'`, and `GOOGLEDRIVE_DELETE_PERMISSION`. These tools, if invoked by the LLM, can grant public access to files, transfer file ownership, or revoke existing access, leading to significant data exposure or loss of control over sensitive documents. Although the documentation includes a warning about the risks of `type='anyone'` and powerful roles, the availability of these capabilities to an unconstrained LLM poses a high risk. Implement strict guardrails and mandatory human confirmation for sensitive Google Drive operations, especially those involving `GOOGLEDRIVE_ADD_FILE_SHARING_PREFERENCE` with `type='anyone'` or `role='owner'`, and `GOOGLEDRIVE_DELETE_PERMISSION`. Ensure the LLM is explicitly instructed to seek user approval before executing such actions. Consider limiting the OAuth scopes granted to the Rube MCP connection if these capabilities are not strictly necessary for the skill's intended use.	LLM	SKILL.md:152

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/d7dc537ba75d018a.svg)](https://skillshield.io/report/d7dc537ba75d018a)