gmail-reply
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted external data in the form of incoming email bodies. This creates a surface for Indirect Prompt Injection, where a sender might include instructions to influence the draft generation.
- Ingestion points: The
get_message_detailsfunction inreferences/gmail-api.mdextracts email bodies for LLM processing. - Boundary markers: Not explicitly defined in the prompt assembly logic, though the skill uses separate analysis and drafting steps.
- Capability inventory: The skill has the ability to send emails and create drafts via the
gmail.sendandgmail.composeAPI scopes. - Sanitization: The skill includes a robust
check_sensitive_datafunction using regular expressions to detect and redact sensitive information like PII and credentials before a draft is finalized. - [EXTERNAL_DOWNLOADS]: The skill communicates with official Google API endpoints (
googleapis.com) to manage email data. These are well-known, trusted services and do not pose a security risk in this context. - [SAFE]: The implementation strictly adheres to a human-in-the-loop (HITL) model, where the
SKILL.mdworkflow explicitly mandates user approval (Step 5: User Approval) before any email is sent, preventing autonomous data exfiltration or unauthorized communication.
Audit Metadata