google-workspace
Warn
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The provided Python code snippets use
pickle.load()to retrieve saved credentials fromtoken.pkl. Thepicklemodule is inherently insecure as it can be used to execute arbitrary code during deserialization if the input file is maliciously crafted or replaced. - [DATA_EXFILTRATION]: The skill requests and uses broad permissions to read sensitive user data from Gmail, Google Drive, Google Docs, and Google Sheets. It explicitly references local access to sensitive authentication files such as
service-account.json,credentials.json, andtoken.pkl. While these are functional requirements for Google API access, they represent a significant exposure risk. - [PROMPT_INJECTION]: The skill facilitates reading content from external, untrusted sources (emails, documents, and spreadsheets) and lacks markers to separate this data from agent instructions. This creates an indirect prompt injection surface.
- Ingestion points: Reads email bodies via
service.users().messages().get(), document content viaservice.documents().get(), and spreadsheet data viasheet.values().get(). - Boundary markers: No delimiters or instructions to ignore embedded commands are present in the examples.
- Capability inventory: The skill has write access to send emails, update spreadsheets, and modify documents, which could be abused if the agent follows malicious instructions hidden in the ingested data.
- Sanitization: There is no evidence of validation or sanitization for the content retrieved from external sources.
- [COMMAND_EXECUTION]: Setup instructions include
pip installcommands for well-known and official libraries likegoogle-api-python-clientandgoogle-auth. - [EXTERNAL_DOWNLOADS]: Fetches dependencies from official registries to enable interaction with Google's API infrastructure.
Audit Metadata