cortex-mine
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/cortex-mine.pyexecutes thegws(Google Workspace CLI) tool viasubprocess.runto interact with Gmail resources for listing and fetching threads. - [EXTERNAL_DOWNLOADS]: The skill requires the installation of external dependencies, specifically
@googleworkspace/clivia the NPM registry and theanthropicPython library via PyPI. - [DATA_EXFILTRATION]: Private email content (including subjects, participants, and body text) is transmitted to the Anthropic API for analysis. While central to the skill's purpose, users should be aware that sensitive correspondence is sent to a third-party AI provider.
- [PROMPT_INJECTION]: The skill has an attack surface for Indirect Prompt Injection (Category 8). It ingests untrusted data from external Gmail threads and interpolates it into an extraction prompt for the LLM. Because the email body text is not isolated by strong boundary markers or sanitized, a maliciously crafted email could potentially manipulate the LLM's output to store incorrect data or ignore extraction rules.
- Ingestion points: Email thread data is fetched in
scripts/cortex-mine.pyusing thegwsCLI. - Boundary markers: Absent. The
EXTRACTION_PROMPTinscripts/cortex-mine.pyuses simple string formatting to include the email body without delimiters or warnings to ignore embedded instructions. - Capability inventory: The skill maintains the ability to write to local files (
~/.cortex/) includingcontacts.json,clients.json,communications.jsonl, andknowledge.jsonl. - Sanitization: The script performs basic cleanup of markdown fences from the LLM output but does not escape or validate the input email content before it is processed.
Audit Metadata