gmail-multi-inbox
Pass
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from the user's Gmail inbox (specifically email subjects and sender headers) to discover and categorize domains. An attacker could send an email with instructions designed to influence the agent's behavior during the scanning phase.
- Ingestion points: The skill uses
search_gmail_messages(via an external connector) to scan the last 6 months of email history, promotional emails, and notifications. - Boundary markers: No specific boundary markers or instructions to ignore embedded commands are used when the agent processes the retrieved email data.
- Capability inventory: The agent has the capability to write to the local filesystem (
assets/config.jsonandassets/gmail-multi-inbox-setup.js). - Sanitization: The skill lacks explicit sanitization or validation of the email content before processing, relying on the agent's internal logic to extract domains correctly.
- [SAFE]: The skill performs extensive scanning of the user's Gmail history (last 6 months, categories, specific keywords). This is necessary for its stated purpose of inbox organization and does not involve exfiltration to external domains. The generated Google Apps Script is provided transparently for the user to review and execute manually in their own Google Cloud environment.
Audit Metadata