inbox-processing-example
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The workflow processes potentially attacker-controlled content from task notes while possessing high-privilege tool access.
- Ingestion points: External data is ingested via 'read_tasks(include_notes=True)' in SKILL.md.
- Boundary markers: There are no documented delimiters (e.g., XML tags) or system instructions to ignore commands embedded within the task text.
- Capability inventory: The skill has powerful write capabilities across multiple platforms, including 'edit_task', 'create_project', 'add_tags', and 'migrate_inbox_to_notion'.
- Sanitization: The skill lacks any sanitization or validation of the content processed from the inbox. A malicious task note could hijack the LLM's logic to reassign tasks, delete information, or exfiltrate data to an unauthorized Notion block.
- Data Exposure (LOW): The skill reads from 'private-prefs/personal-taxonomy.json'. While necessary for the feature, this exposes the user's private work structure and organizational metadata to the agent during the high-risk processing phase.
Recommendations
- AI detected serious security threats
Audit Metadata