email-daily-summary
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): Vulnerable to Indirect Prompt Injection (Category 8). The skill reads content from external emails (Ingestion: Gmail/Outlook DOM in SKILL.md) and processes it without delimiters or sanitization (Boundary: Absent, Sanitization: Absent). An attacker sending a malicious email could influence the agent's behavior via the high-privilege browser-use tool.
- COMMAND_EXECUTION (HIGH): The skill provides instructions for Persistence (Category 6) by suggesting users add scripts to crontab or macOS launchd. This establishes automated, long-term access to the user's email inbox on the local machine.
- REMOTE_CODE_EXECUTION (HIGH): Uses Dynamic Execution (Category 10) through browser-use eval (JS) and browser-use python blocks. These execute arbitrary code within the browser context, which is particularly dangerous when handling untrusted email data.
- DATA_EXFILTRATION (MEDIUM): Risks exposing sensitive PII by taking screenshots and extracting data from private email sessions (Category 2). It suggests using --browser real to share the user's entire browser session, significantly increasing the potential blast radius.
- EXTERNAL_DOWNLOADS (LOW): Requires installing browser-use[cli] via pip. While a standard tool, it is an external dependency that executes code on the host system.
Recommendations
- AI detected serious security threats
Audit Metadata