outlook
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) because it processes untrusted data and possesses significant write capabilities. \n
- Ingestion points: Untrusted content is read in
scripts/outlook-mail.sh(read, search, inbox) andscripts/outlook-calendar.sh(events, today, week, read). \n - Boundary markers: Absent. The skill does not employ specific delimiters or instruction-ignore warnings when passing external text to the agent. \n
- Capability inventory: Subprocess calls to
curlfor sending mail, deleting mail, and modifying calendar events are present inscripts/outlook-mail.shandscripts/outlook-calendar.sh. \n - Sanitization: Basic HTML stripping using
jqgsub and text truncation is used inscripts/outlook-mail.shandscripts/outlook-calendar.sh, which provides minimal protection against behavioral manipulation. \n- [COMMAND_EXECUTION]: Shell scripts within the skill utilize unsafe string interpolation to construct JSON payloads and tool queries. \n - Evidence: Found in
scripts/outlook-mail.sh(send, reply, move, forward, categorize) andscripts/outlook-calendar.sh(create, update commands). \n - Description: User-controlled input or external data is placed directly into strings used for
curlPOST data andjqfilters. This allows for structural injection where malicious input could alter the JSON body or query logic, potentially leading to unintended API operations within the user's authorized scope.
Audit Metadata