Email & Calendar Scopes — the read-write boundary matters
Giving an agent access to email is the fastest way to unlock high-value use cases — and the fastest way to cause a catastrophe. Scope discipline is the whole game.
The threat
An agent with Gmail 'modify' scope can send, delete, archive, and move emails. A single prompt injection in an email body can exfiltrate data, delete evidence, or impersonate you. The default OAuth scopes most people accept are far broader than needed.
What to do about it
-
1. Read-only by default
Triage, summarization, search — all work with read-only scope. Most use cases don't need write. Start read-only; escalate only when required.
-
2. Draft-only for sending
Agent writes to drafts folder. You review and send. Never grant send scope without this gate.
-
3. Never grant delete scope
Deleted emails can be forensic evidence during an incident. An agent with delete scope can destroy its own tracks. Archive is always enough.
-
4. Use labels for agent actions
Every email the agent touches gets a label. You can audit or undo wholesale.
-
5. Review OAuth grants monthly
Google, Microsoft, Apple all have an 'apps with access' page. Anything you don't actively use → revoke.
Real-world examples
- An email-triage agent with full modify scope encountered a prompt injection in a newsletter and archived 800 emails matching 'invoice' into trash.
- An agent with send scope auto-replied to a phishing email with internal scheduling info, confirming the target was human and active.
Examples are illustrative, composited from public incident reports and community posts.
Applies to
← Back to the security hub · See also the hardening checklist.