gmail-read
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface (Category 8) because it retrieves untrusted data from external Gmail accounts.
- Ingestion points: Data enters the agent context through the GMAIL_FETCH_EMAILS and GMAIL_FETCH_MESSAGE_BY_MESSAGE_ID actions in gmail-broker.ts.
- Boundary markers: The skill does not implement explicit delimiters or instructions to warn the agent about potentially malicious commands embedded within email content.
- Capability inventory: The skill is limited to read-only operations (search, list, fetch message, fetch attachment, get profile) by an internal allowlist, preventing modifications to the mailbox.
- Sanitization: Email content returned from the Composio API is passed to the agent without additional filtering or sanitization.
Audit Metadata