google-apps-script
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (LOW): The skill implements patterns that ingest untrusted data and process it through sensitive capabilities without adequate sanitization or boundary markers.\n
- Ingestion points:
e.valuesfrom Google Form submissions inreferences/patterns.mdandsheet.getValues()for spreadsheet data inassets/spreadsheet-automation-template.js.\n - Boundary markers: Absent. External data is directly interpolated into template strings for emails and logs.\n
- Capability inventory:
MailApp.sendEmail,GmailApp.reply, andUrlFetchApp.fetch.\n - Sanitization: Absent. Untrusted inputs are used directly in email notification bodies and subjects, creating a risk where an attacker (via form input or shared sheet data) could influence the agent's outgoing communications or trigger unintended logic.\n- Data Exposure & Exfiltration Surface (LOW): The skill includes utilities for making network requests to arbitrary URLs.\n
- Evidence:
references/patterns.md(Pattern: Retry Logic for API Calls) defines afetchWithRetryfunction usingUrlFetchApp.fetch(url).\n - Context: While used for legitimate API integrations, the lack of URL validation or whitelisting presents a potential surface for data exfiltration if the input URL is controlled by an attacker through indirect injection or agent manipulation.
Audit Metadata