google-drive-knowledge-bank
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted content from external Google Drive meeting notes. Malicious instructions embedded within these notes could be executed by the agent during the retrieval and synthesis phase. \n
- Ingestion points: Google Drive documents exported via
gws drive files exportas described in SKILL.md. \n - Boundary markers: Absent. The agent reads the full content of identified relevant meetings and synthesizes an answer without using specific boundary delimiters or instructions to ignore embedded instructions. \n
- Capability inventory: Shell command execution (grep, jq), file system writing, and Google Drive API interaction through the
gwsCLI tool. \n - Sanitization: Meeting content is escaped using
jq -Rs .before being stored in JSON files, but metadata such as filenames and IDs used in shell script interpolation is not validated. \n- [COMMAND_EXECUTION]: The skill utilizes shell scripts to process file lists and metadata. Variables derived from Google Drive metadata (e.g.,$FILE_NAME,$FILE_ID) are interpolated into shell commands and JSON templates without exhaustive escaping, which could lead to unintended behavior if filenames contain shell metacharacters. \n- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the@googleworkspace/cliNPM package to interact with Google Drive services. This is an official CLI tool for a well-known service and is documented neutrally as a functional requirement.
Audit Metadata