I’d think that ship has sailed in this case. The author already publicly stated that they would be able to make the package do “something malicious” within Google if they wanted. So however they change it after the fact, they’d run the risk of being accused of malicious intent.
"Something malicious" would be very different than sending a proof-of-concept email. "Something malicious" might be, for example, snarfing up data, or having one engineer commit malicious code and having another one approve it.
Indeed, the email could walk through malicious use-cases like these, which either leak customer data or damage Google infrastructure.
