The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill is designed to ingest and process untrusted data from Microsoft Outlook, including email bodies, subjects, and attachments. This creates a surface for indirect prompt injection attacks where a malicious email could contain instructions aimed at manipulating the agent's behavior.
Ingestion points: Detected in tools OUTLOOK_GET_MESSAGE, OUTLOOK_SEARCH_MESSAGES, and OUTLOOK_DOWNLOAD_OUTLOOK_ATTACHMENT.
Boundary markers: Absent; there are no instructions to the agent to treat email content as untrusted data or use delimiters.
Capability inventory: The skill can read/search all emails, manage calendar events, and access contacts.
Sanitization: Absent; no mention of filtering or escaping content from external messages.
External Dependency (LOW): The skill requires the user to add an external MCP server (https://rube.app/mcp). This service is not on the trusted source list. While it is the primary mechanism for the skill's functionality, it involves routing sensitive mailbox data through a third-party infrastructure. Severity is downgraded to LOW as it is the primary stated purpose of the skill.
Data Exposure Risk (LOW): The skill facilitates access to highly sensitive Personal Identifiable Information (PII) stored in Outlook (emails, contacts, calendars). This access is mediated by the rube.app domain, which is a non-whitelisted external destination for data flow.

outlook-automation