gmail
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to indirect prompt injection because it ingests untrusted external data (email messages) and provides the agent with high-impact write capabilities.
- Ingestion points: Retrieval of email threads and messages via
GET /google-mail/gmail/v1/users/me/messages/{messageId}as defined inSKILL.md. - Boundary markers: Absent. There are no instructions or delimiters defined to separate untrusted email content from the agent's internal reasoning.
- Capability inventory: The skill includes high-privilege capabilities such as
POST .../send,POST .../trash, andPOST .../modifyinSKILL.md, allowing an attacker to influence the agent into performing unauthorized actions through malicious email content. - Sanitization: Absent. No evidence of content filtering or sanitization of retrieved data exists in the skill definition.
- DATA_EXFILTRATION (MEDIUM): The skill is designed to proxy all sensitive email data and user authentication tokens through
gateway.maton.ai. This domain is not within the trusted scope, introducing a middle-man risk for sensitive personal communications. - COMMAND_EXECUTION (LOW): The
SKILL.mddocumentation encourages the use of shell-based Python heredocs (python <<'EOF') to interact with the API, which promotes the execution of unverified scripts in the user's environment.
Recommendations
- AI detected serious security threats
Audit Metadata