gmail
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
- Indirect Prompt Injection (LOW): The skill provides an interface to read email content, which serves as an ingestion point for untrusted data that could contain malicious instructions.
- Ingestion points:
scripts/gmail.pyvia thegetcommand which retrieves full message bodies. - Boundary markers: No documentation suggests the use of delimiters or system instructions to ignore embedded prompts within retrieved emails.
- Capability inventory: The skill possesses significant write capabilities, including
send,create-draft, andmodify(labels), which could be manipulated by a successful injection. - Sanitization: Verification of content escaping or sanitization is impossible as the script source code is missing.
- Data Exposure & Exfiltration (LOW): The documentation mentions a 'Google's cloud function' for token refresh. While this is likely for OAuth, it establishes a dependency on an external, unverified endpoint for credential management.
- Metadata Poisoning (SAFE): The skill metadata correctly describes its purpose as a Gmail integration tool.
- No Code (SAFE): The primary executable files (
scripts/auth.pyandscripts/gmail.py) are referenced in the documentation and SKILL.md but are not present in the provided file set.
Audit Metadata