outlook-web
Pass
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill enforces a strict read-only boundary using agent-browser Action Policies (e.g., policy-read.json, policy-search.json) with a 'default: deny' posture. Destructive actions like send, delete, or move are not in the allow-lists.
- [SAFE]: Implements prompt injection defense by setting 'AGENT_BROWSER_CONTENT_BOUNDARIES=1' on all browser operations and using a 'stripContentBoundaries' utility to ensure untrusted page content is handled as data.
- [SAFE]: Uses 'spawnSync' with an arguments array rather than shell string interpolation, mitigating potential shell command injection from search queries or identifiers.
- [SAFE]: Employs session persistence via named sessions in the user's home directory, maintaining security boundaries across invocations without exposing raw credentials.
- [SAFE]: Provides clear security documentation in 'SKILL.md' and reference files, specifically warning against passing untrusted content to the 'copilot-summary' command to prevent injection amplification.
- [SAFE]: All external domains accessed are well-known Microsoft services (outlook.office.com, teams.microsoft.com, login.microsoftonline.com).
Audit Metadata