utoronto-outlook
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- PROMPT_INJECTION (HIGH): High risk of Indirect Prompt Injection (Category 8). The skill ingests untrusted external data from email bodies and subjects via list, read, and search functions without implementing boundary markers or robust sanitization to prevent the agent from following embedded instructions. When combined with the skill's capability to send emails and access private messages, this creates a high-risk surface for agent hijacking.
- COMMAND_EXECUTION (HIGH): Deliberate security bypass of administrative policy (Category 5). The skill explicitly implements a technique to use a pre-authorized Client ID (Thunderbird) to circumvent Microsoft Entra ID admin consent requirements (AADSTS65002). This allows the bypass of organizational security protocols intended to restrict third-party application access to university mailboxes.
Recommendations
- AI detected serious security threats
Audit Metadata