email-drafting
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Dynamic Execution (MEDIUM): The script 'run.py' manipulates the Python search path ('sys.path') using a computed relative path to include external scripts from '../../scripts'. This can lead to the loading of unintended modules if the directory structure is manipulated.
- Dynamic Execution (MEDIUM): The test file 'tests/test_email.py' utilizes 'importlib' and 'exec_module' to dynamically load and execute 'run.py'. While common in testing, dynamic loading of local files can be exploited to execute unintended code if paths are modified.
- Indirect Prompt Injection (LOW): 1. Ingestion points: The 'collect' function in 'run.py' accepts user-controlled data for 'purpose', 'recipient', 'context', 'thread', and other elements. 2. Boundary markers: The generated 'draft_prompt' does not use delimiters or specific instructions to ignore embedded commands within these user-supplied elements. 3. Capability inventory: The skill output is intended for LLM consumption; malicious instructions embedded in input elements (like 'purpose' or 'context') could hijack the agent's behavior during the drafting phase. 4. Sanitization: No input validation or sanitization is performed on the extracted email elements before they are incorporated into the prompt.
Audit Metadata