gmail-manager
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill transmits sensitive email data, including messages, threads, and metadata, to an external API endpoint (app.rubeai.io). While this is the intended mechanism for the Rube MCP integration, users should be aware that private communications are processed by this third-party service.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it retrieves and processes untrusted data from incoming emails using tools such as GMAIL_FETCH_EMAILS and GMAIL_GET_EMAIL_BY_ID.
- Ingestion points: Untrusted data enters the agent context via email content fetched through
GMAIL_FETCH_EMAILS,GMAIL_GET_EMAIL_BY_ID, andGMAIL_GET_THREADas defined in SKILL.md. - Boundary markers: Absent. The skill provides no instructions to the agent to treat email content as untrusted or to ignore any commands contained within the emails.
- Capability inventory: The skill possesses high-impact capabilities, including the ability to send emails (
GMAIL_SEND_EMAIL), reply to threads (GMAIL_REPLY_TO_EMAIL), and delete messages (GMAIL_TRASH_MESSAGE). - Sanitization: There is no evidence of sanitization, filtering, or validation of the retrieved email content before it is processed by the LLM or acted upon by the tools.
Audit Metadata