listener-creator
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection Surface: The skill processes untrusted data from incoming emails and incorporates it into AI prompts for classification and decision-making. This could potentially allow an attacker to influence the agent's behavior via email content.
- Ingestion points: The email subject and body fields are accessed in files such as templates/ai-classifier.ts and templates/urgent-watcher.ts.
- Boundary markers: Current templates interpolate email content directly into prompt strings without utilizing distinct delimiters or explicit instructions to ignore embedded directives.
- Capability inventory: The listener context allows for actions including archiving, starring, and labeling emails, as well as sending notifications.
- Sanitization: The skill does not currently perform validation or escaping of the email content before processing.
- Dynamic Script Generation: The core functionality of this skill involves writing TypeScript files to a specific listener directory (agent/custom_scripts/listeners/). These generated scripts are intended to be executed by the system to monitor and respond to email events. While necessary for the skill's operation, the generation of executable code is a pattern that warrants standard security oversight.
Audit Metadata