gmail-workflows
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill processes incoming emails which are untrusted external inputs. An attacker could embed malicious instructions in email bodies or metadata to influence the agent's behavior.\n
- Ingestion points: Gmail tools (
gmail_search,gmail_get_attachments) and triggers defined inSKILL.md.\n - Boundary markers: None present. There are no instructions provided to the model to ignore or delimit embedded commands within the email data.\n
- Capability inventory: The skill possesses significant capabilities including archiving emails, uploading files to Google Drive, and sending notifications via Slack and SMS (
gmail_archive,gdrive_upload,notify_slack,send_sms).\n - Sanitization: No sanitization or validation logic is defined to check email content or attachment names for malicious payloads before processing.\n- [DATA_EXFILTRATION]: Data Exposure Risk. The skill is designed to move sensitive communications and attachments from Gmail to Google Drive and external notification platforms like Slack. While these are core features, they establish a data flow that could be exploited to exfiltrate information if the agent's logic is subverted via the indirect injection surface.
Audit Metadata