gmail
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (LOW): The skill is vulnerable to indirect prompt injection because it processes untrusted data from an external source (Gmail).
- Ingestion points: Untrusted data enters the agent context through
scripts/gmail.py searchandscripts/gmail.py get(README.md, SKILL.md). - Boundary markers: The documentation does not specify the use of delimiters or 'ignore embedded instructions' warnings when processing email bodies.
- Capability inventory: The skill possesses significant write capabilities, including
send,create-draft, andmodify(labels) viascripts/gmail.py. - Sanitization: There is no evidence of sanitization or filtering of email content before it is processed by the LLM.
- External Downloads (SAFE): The skill requires the installation of the
keyringpackage via pip (requirements.txt). This is a standard library for interacting with system credential stores and is considered safe. - Command Execution (SAFE): The skill relies on local Python scripts (
scripts/auth.py,scripts/gmail.py) to perform its functions. While these involve command execution, they are part of the skill's primary intended purpose.
Audit Metadata