gws-cli
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Executes the 'gws' binary to perform operations across Google Drive, Gmail, Sheets, and other Workspace services. The skill follows best practices by instructing the agent to confirm intent before any write, update, or delete operations and to prefer read-only commands for inspection.
- [EXTERNAL_DOWNLOADS]: Installs the '@googleworkspace/cli' tool via NPM or Cargo. These downloads originate from official Google-managed repositories and registries, which are recognized as trusted sources.
- [PROMPT_INJECTION]: Identifies a potential surface for indirect prompt injection as the tool reads content from external sources such as Gmail messages or Drive documents.
- Ingestion points: Untrusted data enters the context through 'gws drive files list', 'gws drive files get', and 'gws gmail users messages get' as defined in 'SKILL.md'.
- Boundary markers: The skill provides structural guidance, instructing the agent to confirm intent and use JSON formatting to clearly delineate API responses from instructions.
- Capability inventory: The skill possesses extensive write capabilities, including 'insert', 'update', 'patch', and 'delete' across the Google Workspace API surface.
- Sanitization: The skill relies on the CLI's native JSON output to ensure data is handled as structured content rather than executable instructions.
Audit Metadata