outlook-automation
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires the addition of an external MCP server endpoint (
https://rube.app/mcp). This domain is not on the list of trusted sources (e.g., Anthropic, Microsoft, Vercel) and serves as the bridge for all tool executions. - [DATA_EXFILTRATION] (MEDIUM): Sensitive data—including full email bodies, attachments, calendar schedules, and contact details—is processed by and transmitted to the
rube.appservice. This introduces a supply-chain risk where a compromise of this third-party service could result in the exposure of private Microsoft 365 data. - [INDIRECT_PROMPT_INJECTION] (LOW): The skill is designed to ingest and process untrusted data from external sources (emails and calendar descriptions).
- Ingestion points:
OUTLOOK_SEARCH_MESSAGES,OUTLOOK_GET_MESSAGE, andOUTLOOK_LIST_EVENTSallow the agent to read arbitrary content from a user's mailbox. - Boundary markers: Absent. The skill does not provide instructions to the agent on how to differentiate between legitimate user commands and malicious instructions embedded in email bodies.
- Capability inventory: The associated tools allow for creating contacts, downloading attachments, and searching messages.
- Sanitization: No evidence of sanitization or content filtering is provided in the skill instructions.
Audit Metadata