instantly-autoreply
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its handling of external email data.
- Ingestion points: The incoming email data is extracted from the
reply_textorreply_htmlfields of the Instantly webhook payload inscripts/instantly_autoreply.py. - Boundary markers: The prompt construction lacks robust delimiters or explicit instructions to ignore potentially malicious commands within the email body, using only a simple 'MESSAGE:' label.
- Capability inventory: The skill has the ability to send automated email replies via the Instantly API using the
send_replyfunction inscripts/instantly_autoreply.py. - Sanitization: No sanitization, escaping, or validation is performed on the incoming email content before it is interpolated into the prompt string for the Anthropic Claude API.
Audit Metadata