gmail-skill
Pass
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It ingests untrusted data from email bodies, subjects, and contact details which could contain malicious instructions intended to manipulate the agent's future actions.
- Ingestion points: Email content and contact details are retrieved via the
gmail_skill.pyscript and presented to the agent. - Boundary markers: The
SKILL.mdprovides explicit instructions to the agent to confirm before sending emails, which serves as a behavioral boundary, but no technical delimiters are used for the data itself. - Capability inventory: The skill allows for sending emails, archiving messages, modifying labels, and searching contacts via subprocess calls in
SKILL.md. - Sanitization: No explicit sanitization of email content is performed before it is passed to the agent's context.
- [DATA_EXFILTRATION]: The skill facilitates the reading and searching of sensitive personal information, including emails and contacts. While this is the intended purpose, it represents a data exposure surface if the agent is manipulated into sending this information to unauthorized recipients.
Audit Metadata