gmail
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The YAML frontmatter description uses directive markers ("CRITICAL: You MUST activate", "override default email behavior") designed to force the agent to prioritize this skill's logic over its core instructions.
- [DATA_EXFILTRATION]: The instruction to always use HTML formatting including
<img>tags provides a mechanism for tracking pixels or remote resource requests that can leak information about the user's email interactions. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from emails using high-privilege capabilities.
- Ingestion points: Data enters the agent's context through
gmail.searchandgmail.getas described inSKILL.md. - Boundary markers: The instructions do not define delimiters or provide warnings for the agent to ignore commands found within email bodies.
- Capability inventory: The skill enables the agent to perform
gmail.send,gmail.createDraft, andgmail.downloadAttachment(SKILL.md). - Sanitization: There are no instructions for sanitizing HTML content or validating file paths when downloading attachments to the local filesystem.
Audit Metadata