gmail
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from email bodies and snippets. Ingestion points: External email data enters the agent context via
scripts/read_emails.pyandscripts/search_emails.py. Boundary markers: The instructions lack explicit delimitation or 'ignore' markers to separate untrusted email content from the agent's core instructions. Capability inventory: The skill has the ability to send emails with arbitrary file attachments viascripts/send_email.pyand modify email status viascripts/read_emails.py(which uses thegmail.modifyscope). Sanitization: There is no evidence of content filtering or escaping for the ingested email data before it is presented to the agent for summarization.
Audit Metadata