gmail-to-crm-pipeline
Warn
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
mcp__claude_ai_Supabase__execute_sqltool to interact with a database. It constructs SQLINSERTandUPDATEstatements using data extracted directly from untrusted inbound emails (e.g., contact names, company names, and inquiry summaries). This pattern is susceptible to SQL injection if an attacker sends an email containing malicious SQL syntax designed to manipulate the database. - [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted data from the user's Gmail inbox via
mcp__claude_ai_Gmail__gmail_read_message(SKILL.md). While it mentions stripping signatures and disclaimers, it lacks explicit boundary markers or instructions to ignore malicious commands embedded within the email body. This untrusted content is then used to influence the agent's behavior during lead scoring, response drafting, and CRM logging. The skill possesses significant capabilities, including executing shell commands (Bash), writing local files (lead-pipeline-report.md), and performing database operations, which could be exploited via successful injection. - Ingestion points: Gmail message content retrieved via
mcp__claude_ai_Gmail__gmail_read_message(SKILL.md, Phase 1). - Boundary markers: Absent. The skill does not use delimiters or specific instructions to isolate the LLM from potential commands within the processed emails.
- Capability inventory: SQL execution (
mcp__claude_ai_Supabase__execute_sql), shell access (Bashtool), local file writing (Writetool for reports), and Gmail draft creation (mcp__claude_ai_Gmail__gmail_create_draft). - Sanitization: The skill lacks explicit sanitization or escaping logic for interpolating external email content into prompt templates or SQL queries.
Audit Metadata