granola
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The script reads sensitive authentication tokens from
~/Library/Application Support/Granola/supabase.json. This file contains WorkOS access and refresh tokens used for API communication. - [DATA_EXFILTRATION]: The skill accesses the Granola application's local cache at
~/Library/Application Support/Granola/cache-v4.jsonto retrieve meeting metadata and transcripts. These items contain potentially sensitive conversation data. - [COMMAND_EXECUTION]: The skill operates by executing a local Python script that performs file system read/write operations and network requests to external domains.
- [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection. 1. Ingestion points: Meeting transcripts and summaries are read from local application caches and fetched from the Granola API. 2. Boundary markers: The script does not implement delimiters or safety instructions to isolate meeting content from agent instructions. 3. Capability inventory: The script has capabilities to perform authenticated network requests and write files to the user's filesystem. 4. Sanitization: There is no evidence of sanitization or validation of the text content extracted from the meeting data before processing.
Audit Metadata