google-docs-automation
Warn
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: MEDIUMNO_CODECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [NO_CODE]: The documentation references
scripts/auth.pyandscripts/docs.py, but these files are missing from the provided skill package, making it impossible to verify the security of the underlying logic. - [COMMAND_EXECUTION]: The setup and usage instructions require the user to execute local Python scripts that handle sensitive OAuth credentials and document data.
- [DATA_EXFILTRATION]: The documentation states that tokens are refreshed through a 'cloud function' instead of directly via Google's OAuth endpoints. This architecture is atypical and could be used to intercept refresh tokens if the function is not controlled by a trusted entity.
- [PROMPT_INJECTION]: The skill reads external content from Google Docs, creating a surface for indirect prompt injection attacks.
- Ingestion points: Document text is retrieved using the
get-textcommand inscripts/docs.py. - Boundary markers: There are no delimiters or instructions provided to the agent to treat document content as untrusted data.
- Capability inventory: The skill can search, create, and modify documents, providing a significant impact if an injection occurs.
- Sanitization: No sanitization or filtering of the retrieved document content is described.
Audit Metadata