google-chat-api
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (LOW): The skill's
README.mdrecommends installinggoogle-chat-cardsfrom npm, an external package from an untrusted source.\n- EXTERNAL_DOWNLOADS (SAFE):templates/bearer-token-verify.tsperforms a fetch togoogleapis.comto retrieve public keys for signature verification; this is a trusted source per [TRUST-SCOPE-RULE].\n- PROMPT_INJECTION (LOW): Indirect prompt injection surface detected intemplates/interactive-bot.tswhere untrusted user text is interpolated into bot responses.\n - Ingestion points:
event.message.textintemplates/interactive-bot.ts.\n - Boundary markers: Absent.\n
- Capability inventory: Generation of JSON payloads and Markdown cards for the Google Chat API.\n
- Sanitization: Absent.
Audit Metadata