google-workspace
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data from multiple sources including Google Doc content (scripts/gdrive_transcript_search.py), Gmail snippets (scripts/gmail_search.py), and Calendar event descriptions (scripts/google_calendar_search.py). Malicious instructions embedded in these external sources could influence the agent's behavior, especially given the skill's capabilities to create folders and upload files.
- Ingestion points:
get_file_contentinscripts/gdrive_transcript_search.pyreads document text;search_messagesinscripts/gmail_search.pyreads email snippets. - Boundary markers: None identified; content is passed directly to the agent context.
- Capability inventory: File upload (
scripts/google_drive_upload.py), folder creation (scripts/create_client_folder.py), and recursive search across Drive, Gmail, and Calendar. - Sanitization: No sanitization or validation of the ingested content is performed before processing.
- [DATA_EXPOSURE]: The skill manages highly sensitive data (Gmail, Drive, Calendar) and uses local files to store OAuth credentials and refresh tokens (
client_secrets.json,mycreds.txt,gmail_token.pickle,calendar_token.pickle). Compromise of the local environment would grant an attacker persistent access to the user's Google account. - [REMOTE_CODE_EXECUTION]: The scripts
scripts/gmail_search.pyandscripts/google_calendar_search.pyuse thepicklemodule to deserialize locally stored credentials. While these files are generated by the script itself, the use ofpickle.load()on the local filesystem represents a potential risk if the environment is tampered with. - [EXTERNAL_DOWNLOADS]: The skill depends on standard, well-known libraries such as
pydrive2,google-auth, andgoogle-api-python-client. These are legitimate dependencies for interacting with Google's APIs.
Audit Metadata