google-workspace
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's setup instructions and scripts facilitate the download of the Google Cloud SDK from Google's official domain (
sdk.cloud.google.com). This is a standard procedure for managing Google Cloud resources and Workspace APIs. - [REMOTE_CODE_EXECUTION]: The skill contains commands to execute remote scripts from an official Google source (
curl https://sdk.cloud.google.com | bash) to install the Google Cloud SDK. This is documented neutrally as it targets a well-known and trusted service provider. - [PROMPT_INJECTION]: As the skill is designed to read and process content from Google Docs, Gmail, and other Workspace services, it possesses an inherent attack surface for indirect prompt injection. Maliciously crafted content in an email or document could potentially influence agent behavior when processed. This is documented as a risk factor typical of skills that ingest untrusted external data.
- Ingestion points: Reads content from Gmail messages, Google Docs, and spreadsheet values (e.g.,
docs.documents().get(),gmail.users().messages().get(),ss.values().get()). - Boundary markers: None identified in the provided implementation examples to delimit untrusted content from system instructions.
- Capability inventory: Significant capabilities including sending emails, deleting files, managing user accounts (Admin SDK), and executing Apps Script functions.
- Sanitization: No explicit sanitization or filtering of the content retrieved from Workspace APIs is shown in the helper scripts before the data is processed or used in other API calls.
Audit Metadata