interactive-bot
Warn
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs shell operations to verify the environment, check for the existence of the bot script, and execute the bot using the
bunruntime from a local directory. - [DATA_EXFILTRATION]: The bot is designed to retrieve private data from a user's Gmail account (reading, searching, and listing emails) and transmit it to an external Telegram chat. While restricted to an authorized chat ID, this creates a channel for sensitive data to leave the primary environment.
- [PROMPT_INJECTION]:
- Self-Modification Instructions: The skill contains explicit 'Self-Evolving' instructions that direct the agent to modify the
SKILL.mdfile immediately upon failure or observed drift. This feedback loop allows for the permanent alteration of the skill's operational logic. - Indirect Prompt Injection Surface:
- Ingestion points: Untrusted data enters the agent's context through incoming Telegram messages and Gmail email content retrieved by tools.
- Boundary markers: The instructions do not specify any boundary markers, delimiters, or safety warnings to prevent the agent from obeying instructions embedded within the emails it reads.
- Capability inventory: The agent is granted capabilities to list, search, read, and draft emails in Gmail, which are high-privilege operations.
- Sanitization: No sanitization or validation of external content (emails or messages) is documented before the content is passed to the AI routing tier.
Audit Metadata