google-workspace
Fail
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches the official Google Cloud SDK installer from sdk.cloud.google.com during the setup process.
- [REMOTE_CODE_EXECUTION]: Executes the Google Cloud SDK installation script as part of the recommended setup flow.
- [COMMAND_EXECUTION]: The auth-setup.sh script automates dependency installation via pip and manages the local storage of authentication tokens in the user's configuration directory.
- [DATA_EXFILTRATION]: The skill enables extensive access to sensitive user data within Google Workspace, including Gmail, Drive, and Docs, which is necessary for its automation functions.
- [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection due to its ability to ingest and process content from external sources.
- Ingestion points: Data enters the agent context through API calls that read Gmail messages, Drive files, and Google Docs or Sheets content.
- Boundary markers: No specific instructions are provided to help the agent distinguish between its core logic and potentially malicious instructions embedded in retrieved data.
- Capability inventory: The agent can perform significant actions such as sending emails, modifying files, and managing calendar events based on processed information.
- Sanitization: There is no evidence of data sanitization or validation performed on the text retrieved from Google APIs before it is evaluated by the agent.
Recommendations
- HIGH: Downloads and executes remote code from: https://sdk.cloud.google.com - DO NOT USE without thorough review
Audit Metadata