Back to skill

Security audit

drivectl - your command-line tool for interacting with Google Drive

Security checks across malware telemetry and agentic risk

Overview

This skill is useful for Google Drive work, but it gives an agent broader Google Workspace power than its description suggests and installs an external CLI with an integrity-check weakness.

Install only if you trust the upstream `drivectl` release and are comfortable giving an agent Google account access. Use the narrowest OAuth scopes and a low-privilege account where possible, manually verify downloaded binaries, and require explicit approval before any write, sharing, permission, Gmail, Calendar, or other non-Drive/Docs/Sheets action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill relies on shell execution but does not declare corresponding permissions, which weakens transparency and any permission-based safety controls around command execution. In this context, shell access is especially sensitive because the documentation also directs the agent to run an installer script and a CLI that can authenticate to Google accounts and access user data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill claims to help with Google Drive/Docs/Sheets tasks, but its instructions expand behavior to downloading and installing software via a bundled script. That materially changes the trust boundary: an agent invoking this skill could fetch and execute code from outside the declared purpose, enabling supply-chain compromise or unintended system modification.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest frames the skill as Drive/Docs/Sheets assistance, but the documentation broadens it to dynamic invocation of arbitrary Google Workspace API endpoints. This scope expansion undermines least privilege and can let the agent perform actions well beyond what a user would reasonably infer from the skill metadata.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Authorizing a generic capability to call any Google Workspace API endpoint creates an overly broad action surface that is not justified by the skill's stated purpose. In an agent setting, this can lead to unauthorized access, modification, or exfiltration across multiple Google services if cached credentials or granted scopes are reused.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The documentation explicitly expands the skill from Drive/Docs/Sheets into "almost any Google Workspace API endpoint" via a generic dynamic call primitive. That materially broadens the skill's authority and encourages use of APIs outside the declared scope, which can enable sensitive actions such as mailbox, calendar, or identity-related operations under the user's existing Google credentials.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The file names unrelated APIs like Calendar and Gmail as valid targets despite the skill being described only for Drive, Docs, and Sheets. This creates a scope mismatch that can mislead downstream agents into performing actions on unrelated and highly sensitive data domains, increasing the chance of unauthorized access, data exfiltration, or destructive changes.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The authentication guidance normalizes local token caching without warning about persistence, account scope, or privacy implications. In an agent or shared environment, cached OAuth tokens can be reused by later processes or users, potentially exposing Drive, Docs, and Sheets data beyond the immediate task.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The markdown provides direct examples for creating documents and changing file permissions through dynamic API calls, but it gives no warning that these operations are write actions with external side effects. In an agent setting, that omission increases the risk that an automated workflow will perform irreversible or security-sensitive changes without explicit user awareness or confirmation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs the agent to update Google Sheets data but does not warn that the command performs a remote write against user-owned cloud content. In an agent setting, missing mutation warnings increases the chance of unintended or unauthorized changes, especially if the model treats the example as a routine read-like operation and executes it without explicit user confirmation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer explicitly continues when neither sha256sum nor shasum is available, which means a downloaded executable may be installed without any integrity verification. Because this script fetches a binary from the network and then executes trust-sensitive installation steps, an attacker who can tamper with the download path, release asset, or local network could cause installation of a malicious binary with no hard failure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.