outlook
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads content from external emails and calendar events. An attacker could send a malicious email that, when processed by the agent, triggers unintended actions.\n
- Ingestion points: Untrusted data enters via
scripts/outlook-mail.sh(read, inbox, search) andscripts/outlook-calendar.sh(events).\n - Boundary markers: No specific delimiters or instructions to ignore embedded commands are mentioned in the documentation.\n
- Capability inventory: The skill has high-impact capabilities including sending emails, deleting messages, and updating calendar entries.\n
- Sanitization: The documentation mentions HTML-to-text conversion, but this does not prevent natural language instructions from influencing the agent.\n- [COMMAND_EXECUTION]: The skill relies on local shell scripts (
scripts/outlook-setup.sh, etc.) to perform all operations, requiring the user to execute local code for setup and daily use.\n- [DATA_EXFILTRATION]: The skill accesses sensitive personal information, including private emails and calendars. This creates a risk profile where an agent could be manipulated into forwarding this data to unauthorized parties.\n- [CREDENTIALS_UNSAFE]: OAuth2 access tokens, refresh tokens, and client secrets are stored locally in the~/.outlook-mcp/directory, which could be targeted by other malicious processes on the user's system.
Audit Metadata