google-slides-automation
Fail
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTIONNO_CODE
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute local Python scripts (
scripts/auth.pyandscripts/slides.py) to manage authentication and interact with the Google Slides API. The source code for these scripts is not provided, making their behavior unverifiable. - [CREDENTIALS_UNSAFE]: The skill describes an unconventional OAuth refresh process that uses an external 'cloud function' instead of local client credentials. This architecture typically requires sending the user's refresh tokens to a remote endpoint, which is a significant security risk for credential theft.
- [DATA_EXFILTRATION]: The use of a remote cloud function to handle OAuth tokens creates a potential path for exfiltrating sensitive access credentials. Furthermore, the referenced scripts request full read/write access to the user's Google Slides presentations.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It ingests untrusted text data from Google Slides via the
get-textcommand without specifying boundary markers or sanitization logic. Mandatory evidence: 1. Ingestion point:scripts/slides.py get-textreads slide content. 2. Boundary markers: Absent. 3. Capability inventory:batch-update,create,add-slide,replace-text, anddelete-slide. 4. Sanitization: Absent. This could allow malicious instructions embedded in a slide to influence the agent's subsequent actions. - [NO_CODE]: The skill relies on external scripts located in the
scripts/directory that are not included in the provided analysis. This prevents verification of the OAuth flow and API interaction logic.
Recommendations
- AI detected serious security threats
Audit Metadata