outlook-automation
Warn
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill instructs users to add an external MCP server endpoint (
https://rube.app/mcp). This domain is not among the trusted sources (e.g., GitHub organizations like Anthropic or Google), meaning the tool schemas and the backend logic are provided by an unverified third party. - [REMOTE_CODE_EXECUTION] (MEDIUM): By configuring a remote MCP server, the agent effectively executes logic hosted on a remote system. The
rube.appservice controls the behavior of the Outlook tools, which includes processing sensitive user data. - [PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection because it processes untrusted data from email bodies and subjects.
- Ingestion points: Untrusted data enters the agent context through tools like
OUTLOOK_GET_MESSAGE,OUTLOOK_SEARCH_MESSAGES, andOUTLOOK_QUERY_EMAILS(File: SKILL.md). - Boundary markers: None identified. There are no instructions to the agent to treat the retrieved email content as untrusted or to use delimiters to prevent instruction leakage.
- Capability inventory: The skill has broad capabilities, including creating contacts (
OUTLOOK_CREATE_CONTACT), managing calendar events, and downloading attachments, which could be abused if an email contains malicious instructions. - Sanitization: There is no mention of sanitizing or validating email content before it is processed by the agent.
Audit Metadata