email-invoice-processor
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses sensitive information by connecting to user email accounts via IMAP. While credentials (email and authorization code) are stored locally in
config.jsonas a recommended practice, the script performs network operations to external mail servers and potentially unknown URLs extracted from email bodies. - [EXTERNAL_DOWNLOADS]: The script automatically follows and downloads content from URLs found within email bodies. It uses the
requestslibrary andPlaywright(headless Chromium) to interact with these remote resources. This behavior is triggered by external, unverified data (email content). - [COMMAND_EXECUTION]: The skill invokes browser automation via Playwright and executes external CLI commands for dependency installation (e.g.,
playwright install chromium), which involves executing code derived from external sources. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8).
- Ingestion points: Untrusted data enters the agent context through email subjects, bodies, and attachments processed in
scripts/process_invoices.pyviaimaplibandemailmodules. - Boundary markers: Absent. The script does not use delimiters or instructions to ignore embedded commands within the processed emails.
- Capability inventory: The skill possesses network capabilities (
requests,playwright,imaplib), file system write access (saving PDFs and Excel files to the Desktop), and data parsing capabilities (pdfplumber). - Sanitization: The script includes basic filename sanitization to remove illegal characters but lacks validation or sanitization for the content of the links it follows or the data it extracts into Excel files.
Audit Metadata