Is google-workspace-mcp safe?
https://clawhub.ai/dru-ca/google-workspace-mcp
This skill is a markdown-only wrapper that delegates all functionality to the third-party npm package @presto-ai/google-workspace-mcp, fetched and executed at runtime via npx -y. While the skill repo itself contains no executable code and showed clean clone behavior, it exposes 49 Google Workspace tools (including email sending and file downloading) through a third-party OAuth proxy, creating significant data exfiltration and supply chain risks. The user's Google tokens flow through @presto-ai's infrastructure rather than a user-controlled OAuth client.
Category Scores
Findings (10)
HIGH Third-party OAuth proxy controls Google tokens -30 ▶
The skill bypasses Google Cloud Console by routing OAuth through @presto-ai's infrastructure. The user's Google access tokens and refresh tokens are managed by this third party rather than a user-controlled OAuth client. This means @presto-ai has the technical capability to access the user's Google Workspace data.
HIGH Email and chat send capabilities enable data exfiltration -25 ▶
The gmail.send, gmail.createDraft, chat.sendDm, and chat.sendMessage tools allow the agent to send arbitrary content to arbitrary recipients. A prompt injection or malicious companion skill could leverage these to exfiltrate conversation contents, local file data, or credentials to an attacker-controlled email address.
HIGH Runtime code fetched from npm with auto-confirm -30 ▶
The skill contains zero executable code itself — all functionality comes from npx -y @presto-ai/google-workspace-mcp which downloads and executes the latest version from npm at runtime. The -y flag auto-confirms execution. The npm package author can push malicious updates at any time without the skill version changing.
MEDIUM Global npm install with potential lifecycle scripts -20 ▶
The setup instructs npm install -g @presto-ai/google-workspace-mcp which runs with the user's full permissions and may execute preinstall/postinstall scripts that are not auditable from the skill repo alone.
MEDIUM Extremely broad tool surface without safety guardrails -25 ▶
The skill exposes 49 tools spanning 10 Google Workspace services including sending emails, modifying calendars, downloading files, and messaging contacts. No mention of confirmation prompts, allow-lists, or rate limits. The agent is given carte blanche to perform actions on the user's Google account.
MEDIUM Skill normalizes destructive filesystem operations -10 ▶
The troubleshooting section instructs rm -rf ~/.config/google-workspace-mcp which normalizes recursive deletion commands in the agent's context. This could lower the agent's resistance to similar destructive commands from prompt injection attempts.
MEDIUM Auto-confirm flag bypasses user consent for package execution -10 ▶
The npx -y flag instructs the package manager to automatically confirm execution without prompting the user, reducing the user's ability to review what is being run.
LOW Supply chain risk through runtime dependency -20 ▶
The entire skill's security depends on the @presto-ai npm organization maintaining trustworthy code. Since the package is fetched at runtime (not pinned or vendored), a compromised npm account or malicious update would immediately affect all users without any change to the skill itself.
LOW File download to arbitrary local paths -5 ▶
drive.downloadFile accepts an arbitrary localPath parameter, allowing files to be written to any location the user has write access to, potentially overwriting sensitive files.
INFO Clean clone and install — no malicious behavior detected 0 ▶
The skill repository itself is minimal (SKILL.md + metadata files). No network connections, process spawning, or filesystem modifications were detected during clone and install. All filesystem events in monitoring are standard desktop environment background activity (GNOME tracker, nautilus, fontconfig).