inbox-triage
Pass
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it instructs the agent to process and act upon untrusted data from email subjects and bodies.
- Ingestion points: The agent reads email content through shell commands defined in SKILL.md.
- Boundary markers: There are no explicit markers or instructions to treat email content as untrusted data or to ignore embedded instructions.
- Capability inventory: The agent can list emails, summarize content, draft replies, and move/archive messages using tools like himalaya or gmailctl.
- Sanitization: No sanitization or filtering of email content is performed before processing.
- [COMMAND_EXECUTION]: The skill relies on the execution of shell commands to interact with the user's email inbox.
- Evidence: Instructions in SKILL.md include running himalaya envelope list and gmail-fetch --unread to retrieve email data.
- [DATA_EXFILTRATION]: The skill accesses potentially sensitive information contained within email headers and bodies.
- Evidence: The agent is tasked with scanning unread emails to produce triage reports containing sender info, subjects, and summaries as described in SKILL.md.
Audit Metadata