recipe-batch-reply-to-emails
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill uses the 'gws' (Google Workspace) command-line tool, which is consistent with the author 'googleworkspace'. All described operations—listing, reading, sending, and modifying emails—are standard and intended functions for this utility.
- [PROMPT_INJECTION]: The skill processes untrusted external data (email content), creating a surface for indirect prompt injection.
- Ingestion points: The skill retrieves email message content using the
gws gmail users messages getcommand inSKILL.md. - Boundary markers: There are no specific delimiters or instructions provided to the agent to treat the ingested email content as data rather than instructions.
- Capability inventory: The skill possesses the ability to send new emails (
gws gmail +send) and modify message labels, which could be exploited if an ingested email contains malicious instructions that the agent follows. - Sanitization: The recipe does not specify any sanitization or validation of the email body before it is used by the agent.
Audit Metadata