files
Pass
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill provides an
uploadaction and a supporting JavaScript helper (dist/index.js) that accept an arbitraryfilePathparameter. This allows the agent to read any file from the local filesystem accessible to the runtime. When combined with theshareaction, which allows files to be shared with external email addresses, this creates a functional path for the exfiltration of sensitive local data such as credentials, SSH keys, or configuration files. - [COMMAND_EXECUTION]: The skill utilizes a local JavaScript helper (
dist/index.js) to handle content uploads and Google Doc conversions. This requires the agent to execute shell commands (node dist/index.js) and pass JSON payloads containing user or agent-generated content, which is a significant capability. - [PROMPT_INJECTION]: The skill retrieves and processes file names, descriptions, and owner information from Google Drive, which are untrusted external inputs. This introduces a risk of indirect prompt injection where malicious content in file metadata could influence the agent's behavior.
- Ingestion points: Untrusted data enters the agent context through the
listandgetactions defined inskill-router.jsonwhich fetch file metadata from the Google Drive API. - Boundary markers: None are present in the skill instructions to distinguish between system instructions and data retrieved from the API.
- Capability inventory: The skill has the capability to read local files, execute local scripts, and perform network operations to Google's APIs.
- Sanitization: There is no evidence of sanitization or validation of the retrieved metadata before it is presented to the agent.
Audit Metadata