Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by ingesting untrusted data from an external source and providing high-impact capabilities.
- Ingestion points: Gmail thread snippets and full message content (including headers and MIME parts) are ingested through the
list-threadsandget-threadactions inskill-router.json. - Boundary markers: The skill does not implement delimiters or 'ignore instructions' warnings when presenting email content to the agent.
- Capability inventory: The skill provides a
sendaction indist/index.jswhich allows the agent to compose and transmit new emails (text or HTML) via the Gmail API. - Sanitization: No sanitization or filtering of incoming email content is performed before it enters the agent's context.
- [DATA_EXFILTRATION]: The skill accesses sensitive communication data (emails) and has network capabilities to send data to
https://gmail.googleapis.com. While this is the intended functionality for a mail client, it represents a data exposure surface if used by an untrusted or compromised agent.
Audit Metadata