google-workspace
Pass
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of an external package,
@googleworkspace/cli, which is downloaded from the NPM registry. While the package name corresponds to official Google Workspace services, it is an external dependency managed by the skill. - [COMMAND_EXECUTION]: The skill relies on the
gwsCLI tool to perform operations across Google Workspace services. It also employs Python code at runtime to generate JSON payloads for document updates, which are subsequently processed by shell commands. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) due to its processing of data from untrusted external sources without sufficient isolation.
- Ingestion points: Data enters the agent's context from Gmail message content, Google Docs body text, and spreadsheet cell values.
- Boundary markers: The instructions do not define boundary markers or provide explicit guidance to the agent on ignoring instructions embedded within the ingested data.
- Capability inventory: The skill grants the agent extensive capabilities, including the ability to read, write, create, and delete resources within Google Drive, Docs, Sheets, and Gmail.
- Sanitization: There is no evidence of sanitization or validation of the content retrieved from external sources before it is interpreted by the agent.
Audit Metadata