lark-mail
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is exposed to indirect prompt injection risks as it ingests untrusted data from external emails. \n
- Ingestion points: Untrusted data enters the agent context via email reading shortcuts such as
+message,+messages,+thread,+triage, and+watch(SKILL.md).\n - Boundary markers: Instructions in SKILL.md explicitly define email content as data rather than instructions, establishing clear logical boundaries.\n
- Capability inventory: The agent can perform impactful actions such as sending emails (
+send,+reply,+forward), deleting messages (trash), and managing folders (SKILL.md and multiple reference files).\n - Sanitization: The skill implements strong procedural safeguards by requiring manual user confirmation for all outgoing or destructive operations and instructing the agent to ignore directive language within email bodies.\n- [PROMPT_INJECTION]: A keyword-based detection for 'Ignore previous instructions' in
SKILL.mdwas identified as a false positive. The phrase is used correctly within a security guideline to educate the agent on how to identify and disregard malicious content in emails.
Audit Metadata