outlook
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill creates a significant surface for indirect prompt injection by processing untrusted data from email bodies, subjects, and calendar events. An attacker could send a malicious message that tricks the agent into misusing its capabilities. Ingestion points:
scripts/outlook-mail.sh(read, inbox, and search commands) andscripts/outlook-calendar.sh(read and events commands). Boundary markers: Absent; untrusted content is presented to the agent context without delimiters or instructions to ignore embedded commands. Capability inventory: The skill can send emails, delete messages, modify calendar events, and read arbitrary local files to add as attachments via theattachcommand. Sanitization: Basic HTML tag stripping is performed viagsub, but the content is not sanitized for malicious instructional patterns. - [COMMAND_EXECUTION]: A path traversal vulnerability exists in the
downloadcommand ofscripts/outlook-mail.sh. The script retrieves attachment filenames directly from the Microsoft Graph API response and uses them to construct local file paths without sanitizing for parent directory references (e.g.,..). A malicious email containing an attachment with a crafted name could overwrite sensitive user files, such as shell configuration or SSH keys, when the agent executes a download.
Audit Metadata