gmail-invoice-processor
Pass
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill processes untrusted data from Gmail messages and PDF attachments without using boundary markers or sanitization to prevent embedded instructions from influencing agent behavior.
- Ingestion points: SKILL.md instructions (Step 1 & 2) and scripts/gmail_attachment_helper.py ingest data from email subjects, bodies, and attachment filenames.
- Boundary markers: Absent. The agent is not instructed to isolate or ignore instructions within the processed content.
- Capability inventory: The agent can write files to the local system (Path.write_bytes) and execute Python scripts via subprocess.
- Sanitization: Absent. While regex is used for data extraction, it does not sanitize input for security purposes.
- Data Exposure & Exfiltration (LOW): The SKILL.md file provides a code snippet (Step 2, Approach A) that saves email attachments using the filename provided by the Gmail API without sanitization. An attacker could provide a malicious filename (e.g., ../.ssh/authorized_keys) to attempt directory traversal and overwrite sensitive files in the agent's environment.
- Command Execution (SAFE): The skill executes a local Python script (extract_invoice_data.py) to process downloaded PDFs. This is the intended primary purpose of the skill.
- Unverifiable Dependencies (SAFE): The skill uses pdfplumber and openpyxl, which are standard and trustworthy libraries for PDF and Excel processing.
Audit Metadata