morning-email-rollup
Fail
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Command Execution] (HIGH): The skill description explicitly states that email bodies are passed as part of the prompt string to the Gemini CLI because the tool does not handle stdin correctly. This design creates a severe command injection vulnerability where a malicious email containing shell metacharacters (e.g., semicolons, backticks, or subshell syntax) could execute arbitrary commands on the host system.\n- [Prompt Injection] (LOW): The skill is highly susceptible to indirect prompt injection because it processes untrusted data from Gmail and passes it to an LLM without adequate security boundaries.\n
- Ingestion points: Gmail messages retrieved via the
gogCLI (specificallyrollup.sh).\n - Boundary markers: Absent; the email content is appended directly to the instruction prompt string.\n
- Capability inventory: Subprocess execution (via
bash), CLI interaction (gemini,gog,jq), and network messaging (Telegram delivery).\n - Sanitization: The skill only performs basic HTML/CSS cleaning and quote stripping for formatting; it does not implement any shell escaping or prompt injection mitigations.\n- [Unverifiable Dependencies] (MEDIUM): The skill requires non-standard external binaries
gogandgeminiwhich are not from trusted organizations and are not standard OS packages, increasing the supply chain risk.
Recommendations
- AI detected serious security threats
Audit Metadata