gmail
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill possesses a high-risk attack surface for indirect prompt injection by processing external content with write-capable tools.
- Ingestion points:
scripts/gmail.pyfetches untrusted data includingsnippet,subject, andfromheaders via the_get_message_detailsmethod. - Boundary markers: None. The script returns raw data which is directly interpolated into the agent's context.
- Capability inventory: The skill includes the
create_draftfunction, which allows for the creation of new email content. - Sanitization: No sanitization or filtering is performed on the ingested email content to prevent it from being interpreted as instructions by the agent.
- [Credentials Unsafe] (HIGH): The script manages sensitive OAuth2 credentials and tokens in a predictable local directory.
- Evidence:
scripts/gmail.pyhardcodesCREDENTIALS_DIRto~/.gmail_credentials/, containingtoken.jsonandcredentials.json. Access to these files would allow an attacker to hijack the authenticated Gmail session.
Recommendations
- AI detected serious security threats
Audit Metadata