outlook
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- REMOTE_CODE_EXECUTION (CRITICAL): The skill requires users to run unverified scripts piped to bash from an untrusted domain (canifi.com) for both skill installation and environment setup. Evidence:
curl -sSL https://canifi.com/skills/outlook/install.sh | bashandcurl -sSL https://canifi.com/install.sh | bash. - EXTERNAL_DOWNLOADS (HIGH): The installation process fetches code from external, non-trusted sources without any integrity checks or version pinning.
- CREDENTIALS_UNSAFE (HIGH): The skill explicitly advises users to store their email passwords in the
SERVICE_PASSWORDenvironment variable. This plaintext credential storage is accessible to the agent and other local processes. - PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). 1. Ingestion points: External email content from Microsoft Outlook web interface. 2. Boundary markers: Absent; there are no instructions to the agent to distinguish between user commands and data-embedded instructions. 3. Capability inventory: Extensive write privileges including composing, sending, replying, and folder management. 4. Sanitization: Absent; the agent processes raw email content directly without filtering.
- DATA_EXFILTRATION (HIGH): The combination of unverified remote code execution and full access to private emails (including send/forward capabilities) provides multiple high-risk paths for automated data theft.
Recommendations
- CRITICAL: Downloads and executes remote code from untrusted source(s): https://canifi.com/install.sh, https://canifi.com/skills/outlook/install.sh - DO NOT USE
- AI detected serious security threats
Audit Metadata