cortex-mine
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
gws(Google Workspace) command-line interface to interact with the Gmail API, listing and retrieving message threads for processing. - [EXTERNAL_DOWNLOADS]: Installation of the
@googleworkspace/cliNode.js package and theanthropicPython library is required for the skill to function. - [DATA_EXFILTRATION]: Email content is retrieved from the user's Gmail account and transmitted to the Anthropic API to facilitate structured data extraction and knowledge base building. This aligns with the skill's documented purpose.
- [PROMPT_INJECTION]: The skill processes untrusted email data, creating a surface for indirect prompt injection.
- Ingestion points: The body text of Gmail threads is extracted in
scripts/cortex-mine.pyand included in the prompt sent to the LLM. - Boundary markers: While the prompt uses descriptive headers like
EMAIL THREAD:, it lacks formal isolation techniques (such as XML tags or dedicated delimiters) to prevent the LLM from following instructions potentially contained within email bodies. - Capability inventory: The script has the ability to write extracted knowledge to the local directory
~/.cortex/. - Sanitization: Email content is truncated for context limits but is not filtered for malicious instructional patterns.
Audit Metadata