email-write
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes instructions and data from external sources without sufficient safeguards.
- Ingestion points: The workflow dynamically reads content from
email-profile.md(user preferences) andreferences/copy-frameworks.md(framework logic and examples) to determine agent behavior and output structure. - Boundary markers: The instructions do not define boundary markers (e.g., XML tags or delimiters) or provide "ignore embedded instructions" warnings when interpolating data from these files into the agent's context.
- Capability inventory: The skill is granted
Read,Write,Grep, andGlobtools. If the ingested files contain malicious instructions, an attacker could potentially trick the agent into misusing these file system capabilities. - Sanitization: There is no evidence of sanitization, validation, or filtering of the content retrieved from the local markdown files before it is used to influence the agent's writing process.
Audit Metadata