executive-digest
Warn
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill reads sensitive information from the workspace
.envfile and auser.jsonconfiguration file, which typically contain API keys, tokens, and personal identifiers. - [COMMAND_EXECUTION]: The skill executes various system commands and local scripts using the
Bashtool, includingtodoist-cli,gog,mcporter, andpython3. It specifically invokes a local scriptskill_log.pyand sources environment variables directly into the shell context. - [DATA_EXFILTRATION]: The skill aggregates private data from Gmail, Google Calendar, and Todoist, then transmits this information to external endpoints via WhatsApp and Slack. While this is the stated purpose, the capability to send aggregated sensitive data to external services presents a risk if the agent's logic is subverted.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from external sources.
- Ingestion points: Data is ingested from Gmail threads (
gog gmail thread get), meeting transcripts (mcporter call granola query_granola_meetings), and Todoist tasks (todoist-cli review) inSKILL.md. - Boundary markers: The instructions do not specify any delimiters or instructions to the model to ignore embedded commands within the processed emails or transcripts.
- Capability inventory: The skill has access to
Bash(curl:*),Bash(python3:*), andWritetools, which could be exploited if an attacker embeds malicious instructions in an email or meeting note. - Sanitization: There is no evidence of sanitization or filtering applied to the external content before it is processed by the model or used in summaries.
Audit Metadata