google-workspace
Pass
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
subprocessto manage several legitimate tasks: scripts/setup.pyexecutespip installto ensure the required Google API client libraries are available.scripts/google_api.pyandscripts/gws_bridge.pyexecute thegws(Google Workspace CLI) tool to perform API operations when it is installed on the user's system.- [EXTERNAL_DOWNLOADS]: The
scripts/setup.pyfile facilitates the installation of standard, well-known Python packages from the Python Package Index (PyPI), includinggoogle-api-python-client,google-auth-oauthlib, andgoogle-auth-httplib2. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it ingests untrusted data from external sources. Evidence chain:
- Ingestion points: Untrusted data enters the agent context through Gmail messages (
gmail get), Drive files (drive search), and Docs content (docs get) inscripts/google_api.py. - Boundary markers: Absent. The raw text from emails and documents is retrieved and displayed without specific delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill has significant write capabilities, including
gmail send,calendar create, andsheets updateinscripts/google_api.py. - Sanitization: There is no explicit sanitization or filtering of external content before it is processed by the agent. However,
SKILL.mdincludes a mandatory rule requiring user confirmation before any write operations are performed, providing a manual guardrail against automated exploitation.
Audit Metadata