superhuman
Warn
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill extracts and caches OAuth access and refresh tokens in
~/.config/superhuman-cli/tokens.json. These credentials provide persistent access to the user's Gmail and Outlook accounts. If these files are accessed by an attacker or another process, the user's entire email history and identity could be compromised.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted content from email messages.\n - Ingestion points: Untrusted data enters the agent context via
superhuman read,superhuman inbox, andsuperhuman searchcommands defined in SKILL.md.\n - Boundary markers: There are no documented delimiters or instructions to ignore embedded commands within the retrieved email text.\n
- Capability inventory: The agent has the ability to perform sensitive actions including
superhuman send,superhuman delete,superhuman archive, andsuperhuman attachment download.\n - Sanitization: The skill lacks any mentioned sanitization or filtering for the external email content before it is processed by the LLM.\n- [COMMAND_EXECUTION]: The agent is granted broad permission to execute any command within the
superhumannamespace. This allows the agent to manipulate the user's email state, including sending unauthorized messages, deleting important communications, or exfiltrating data via attachments.
Audit Metadata