send-email
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION] (MEDIUM): The skill allows sending arbitrary content and file attachments to any email address provided in the 'to' field. This creates a direct path for an agent to exfiltrate sensitive local data or files (e.g., using 'file-content://' URIs) to external recipients.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The installation process relies on a remote identifier ('skp-wyrq1wha0i2ktf9jrbcggaiq') from the Refly platform. This is an untrusted third-party source not included in the 'Trusted External Sources' list, making the underlying code and any associated dependencies unverifiable before installation.
- [PROMPT_INJECTION] (MEDIUM): Category 8: Indirect Prompt Injection surface. The skill ingests untrusted data in the 'html' and 'subject' fields and has the capability to send this data externally via email. An attacker could embed instructions in data processed by the agent to trigger unauthorized email transmissions or data theft.
- Ingestion points: 'subject', 'html', and 'attachments' fields in the JSON input (SKILL.md).
- Boundary markers: Absent; input is interpolated directly into the email context without delimiters or 'ignore embedded instructions' warnings.
- Capability inventory: External network communication via email delivery and local file access via attachment URIs.
- Sanitization: No evidence of sanitization or validation of the recipient address or body content provided.
Audit Metadata