gmail-automation
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFENO_CODEPROMPT_INJECTION
Full Analysis
- [NO_CODE]: The skill references 'scripts/auth.py' and 'scripts/gmail.py' for all core functionality including authentication and email management, but these files were not included in the provided skill package, preventing a formal security audit of the execution logic.
- [PROMPT_INJECTION]: The skill's architecture presents a surface for indirect prompt injection (Category 8).
- Ingestion points: Untrusted data enters the agent context via 'scripts/gmail.py search' and 'scripts/gmail.py get' which retrieve external email bodies and metadata.
- Boundary markers: The instructions do not define delimiters or negative constraints to prevent the agent from following instructions embedded within processed email content.
- Capability inventory: The skill allows the agent to send emails, create drafts, and modify labels, which could be abused if an injected instruction is executed.
- Sanitization: There is no mention of sanitization or filtering of email content before it is presented to the agent.
- [EXTERNAL_DOWNLOADS]: The documentation indicates that OAuth tokens are refreshed using an external 'Google cloud function'; this introduces a remote dependency that cannot be verified for security or data privacy without the underlying script code.
Audit Metadata