internal-comms
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection because it is explicitly instructed to ingest and summarize content from attacker-controllable sources such as public Slack channels, shared Google Drive documents, and company-wide emails.
- Ingestion points: Found in
examples/3p-updates.md,examples/company-newsletter.md, andexamples/faq-answers.md, which direct the agent to fetch data from Slack posts, Google Drive docs, and emails. - Boundary markers: Absent. The instructions do not provide any delimiters or system-level warnings to the agent to ignore embedded instructions within the data it retrieves.
- Capability inventory: The agent is expected to have read access to Slack, Email, Calendar, and Google Drive through integrated tools.
- Sanitization: Absent. There are no guidelines for filtering, escaping, or validating the content retrieved before it is processed or summarized.
- [DATA_EXFILTRATION]: The skill demonstrates a high risk for data exposure by directing the agent to aggregate sensitive information from multiple corporate communication and storage platforms.
- Evidence: The workflow in
examples/3p-updates.mdandexamples/company-newsletter.mdencourages the agent to seek out "critical team members'" documents, "non-recurring meetings," and "emails from executives." This aggregation process can inadvertently expose private or sensitive information (PII, trade secrets) if the resulting summary is shared in less secure channels (e.g., broad Slack channels or newsletters).
Audit Metadata