google-workspace
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references the @anthropic/google-mcp package for installation. This is a trusted resource from a well-known organization and is used for establishing the official Model Context Protocol connection.\n- [CREDENTIALS_UNSAFE]: The documentation describes the use of the GOOGLE_APPLICATION_CREDENTIALS environment variable. This is a standard and secure industry practice for managing Google Cloud Service Account authentication rather than hardcoding credentials.\n- [PROMPT_INJECTION]: The skill facilitates the ingestion of external data, creating a surface for indirect prompt injection.\n
- Ingestion points: Untrusted data enters the context when reading email contents via gmail_get_message or file information via google_drive_get_file (SKILL.md).\n
- Boundary markers: There are no explicit instructions for the agent to use delimiters or to ignore potential instructions embedded within the retrieved emails or documents.\n
- Capability inventory: The skill possesses capabilities that could be abused if an injection is successful, specifically sending emails (gmail_send_message) and modifying calendar events (google_calendar_update_event) (SKILL.md).\n
- Sanitization: The skill includes a hitl (human-in-the-loop) requirement for sending emails, which serves as a significant mitigation against automated exfiltration or social engineering attempts.
Audit Metadata