poffice-admin
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- DATA_EXFILTRATION (MEDIUM): Scripts including
poffice_docs.py,poffice_mail.py, andpoffice_paperless.pyperform network requests to administrative endpoints withverify=False. This bypasses SSL/TLS certificate validation, allowing attackers on the network to intercept sensitive administrative API keys and session tokens. - COMMAND_EXECUTION (MEDIUM): The
scripts/poffice_master_admin.pyfile executes local Python scripts usingsubprocess.check_output. It constructs argument lists using values (email, name, password) retrieved from an external Neon PostgreSQL database. If the database content is compromised, it could lead to command argument injection within the orchestration flow. - EXTERNAL_DOWNLOADS (LOW): The
scripts/poffice_docs.pyfile provides functionality to download files from a remote Seafile instance to the local environment. - PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points:
scripts/poffice_imap.py(reads email subjects and bodies) andscripts/poffice_docs.py(downloads cloud files). - Boundary markers: None. There are no instructions to the agent to ignore or sanitize instructions embedded in retrieved data.
- Capability inventory: The skill has broad permissions to create mailboxes, manage cloud users, and send emails.
- Sanitization: No validation or sanitization is performed on data retrieved from external email or document sources before it enters the agent's context.
Audit Metadata