Back to skill

Security audit

Gmail

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Gmail integration that discloses its email access and send/manage capabilities, with no evidence of hidden code or off-purpose behavior.

Install only if you are comfortable giving Maton-mediated access to the connected Gmail account. Use a dedicated or least-privilege Google account where possible, confirm all sends or modifications before they run, specify the intended connection when multiple accounts are linked, and revoke the Maton OAuth connection when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation description is broad enough to match many generic email-related requests, which can cause the skill to be invoked in situations where the user did not clearly intend Gmail access. In a high-privilege integration that can read and send email, overbroad routing increases the chance of unintended access to sensitive mailbox content or unintended write actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill prominently documents reading messages, threads, and profile data but does not provide a strong, explicit privacy warning that mailbox contents may include highly sensitive personal, financial, legal, or credential-related information. Because email is a concentrated source of sensitive data, lack of clear disclosure and consent guidance raises the risk of over-collection or users authorizing access without understanding the privacy implications.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.