email-triage
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute environment checks, build tools using 'bun install' and 'bun run build', and run the triage script 'digest.ts'.
- [EXTERNAL_DOWNLOADS]: Executing 'bun install' downloads third-party dependencies from the NPM registry during the setup phase to compile the Gmail CLI tool.
- [REMOTE_CODE_EXECUTION]: The skill runs a local TypeScript script and a compiled binary ('gmail') which allows for arbitrary code execution in the user's environment.
- [DATA_EXFILTRATION]: Private email data is accessed via a CLI tool and transmitted to an external Telegram bot, representing a significant flow of sensitive information.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it triages untrusted email content using an LLM, which could be exploited to manipulate the agent's logic.
- Ingestion points: Reads external email data via the 'gmail' CLI binary located in the marketplace directory.
- Boundary markers: No explicit delimiters or instructions are used to isolate untrusted email text from system-level instructions.
- Capability inventory: The skill has access to the 'Bash' tool, enabling command execution and script invocation.
- Sanitization: There is no evidence of input validation or sanitization for the processed email content before it is passed to the LLM.
Audit Metadata