The Agent Skills Directory

Prompt Injection (LOW): The skill is susceptible to indirect prompt injection due to its core functionality of reading external, untrusted content.
Ingestion points: Untrusted data enters the agent context via read_email.py (email body), search_emails.py (email snippets), and search_events.py (event summaries and descriptions).
Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the scripts when processing this data.
Capability inventory: The skill allows for writing operations such as create_draft.py and create_event.py, which could be exploited if an injected instruction is executed by the agent.
Sanitization: Only basic HTML tag stripping is performed in create_draft.py, with no semantic validation or sanitization of retrieved data.
Safe Practices (SAFE): The authentication logic in gmail_auth.py and calendar_auth.py correctly uses os.chmod to restrict access to token.json to the owner only, and the skill relies on official and trusted Google API libraries.

google-workspace