inbox-assistant
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies extensively on executing the
inboxdCLI tool to perform all operations, including reading, searching, analyzing, deleting, and sending emails. - [EXTERNAL_DOWNLOADS]: The skill requires the installation of an external Node.js package from the npm registry using
npm install -g inboxd. This package is authored by the same vendor as the skill. - [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection due to its core function of processing untrusted data from an external source (Gmail).
- Ingestion points: Untrusted content enters the agent context through
inboxd analyzeandinboxd readcommands, which fetch email bodies, snippets, and subject lines. - Boundary markers: The instructions do not define specific delimiters or "ignore embedded instructions" warnings to separate email content from the agent's internal logic during analysis.
- Capability inventory: The agent has high-impact capabilities including deleting emails (
inboxd delete), sending new emails (inboxd send), replying to messages (inboxd reply), and archiving content (inboxd archive). - Sanitization: There is no evidence of content sanitization or filtering to prevent malicious instructions embedded in emails from influencing the agent's behavior.
Audit Metadata