google-chat
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill relies on local scripts (scripts/auth.py and scripts/chat.py) for all operations. These scripts were not provided for analysis, which prevents a full verification of the execution logic and API call implementation.
- [PROMPT_INJECTION] (LOW): The skill provides a surface for indirect prompt injection by reading external chat messages. Ingestion points: Data retrieved via the 'get-messages' command in scripts/chat.py. Boundary markers: None specified in the documentation to isolate chat content from agent instructions. Capability inventory: Write access to Google Chat via 'send-message', 'send-dm', and 'setup-space'. Sanitization: No sanitization or filtering of ingested messages is mentioned.
- [CREDENTIALS_UNSAFE] (SAFE): The skill correctly implements secure credential management by using the 'keyring' library, which leverages OS-level secure storage (like macOS Keychain or Windows Credential Locker) rather than storing tokens in plain text.
Audit Metadata