google-apps-script
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFECREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its code templates for generating emails and HTML interfaces incorporate untrusted spreadsheet data into high-privilege actions without proper sanitization.
- Ingestion points: Data is read from spreadsheet cells via
sheet.getRange().getValues()in multiple files (e.g.,references/patterns.md,references/recipes.md). - Boundary markers: None present; data is directly concatenated into HTML and message strings.
- Capability inventory: The skill uses
MailApp.sendEmail(),UrlFetchApp.fetch(), andHtmlService.createHtmlOutput(). - Sanitization: Absent; templates show direct interpolation of cell values into HTML bodies, creating an XSS and injection surface if sheet content is attacker-controlled.
- [PROMPT_INJECTION]: The instructions in
SKILL.mdguide users to bypass the built-in Google Workspace safety warning for unverified Apps Script projects ('Advanced > Go to [Project Name] (unsafe) > Allow'), which can condition users to ignore security guardrails. - [DATA_EXFILTRATION]: The skill documents patterns for reading spreadsheet content and transmitting it to external endpoints using
UrlFetchApp.fetch(). While standard for GAS, this capability can be misused for exfiltration. - [CREDENTIALS_UNSAFE]: The 'PDF Export' pattern in
references/patterns.mddemonstrates the use ofScriptApp.getOAuthToken()to retrieve and use high-privilege session tokens for authenticating automated requests. - [COMMAND_EXECUTION]: The skill promotes the use of 'Installable Triggers' via
ScriptApp.newTrigger(). These triggers run with the permissions of the person who created them, creating a potential privilege escalation vector if a high-privilege user (e.g., an administrator) sets up a trigger that acts on data provided by lower-privileged users in a shared spreadsheet.
Audit Metadata