google-docs
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of
bash -cto wrapcurlcommands andjqfor processing JSON responses. This is primarily used to manage Google Docs resources and handle environment variables during piped operations. - [CREDENTIALS_UNSAFE]: Uses the
GOOGLE_DOCS_TOKENenvironment variable for authentication. The skill metadata explicitly defines this as a platform-managed secret (vm0_secrets), which is a standard practice for secure credential handling in this context. - [DATA_EXFILTRATION]: Communicates with official Google API endpoints (
docs.googleapis.comandgoogleapis.com). These are well-known services, and the network activity is strictly aligned with the skill's documented purpose of managing Google Docs. - [INDIRECT_PROMPT_INJECTION]: The skill has the surface area for indirect injection as it reads content from external Google Docs which could contain instructions. However, it uses
jqto parse data and presents it as structured output, following standard data-retrieval patterns. - Ingestion points: Document content is fetched in steps 2, 3, 16, and 17 using
curlfrom the Google Docs API. - Boundary markers: None explicitly present in the suggested commands to separate document data from agent instructions.
- Capability inventory: The agent has shell access via
curl,jq, andtras demonstrated in the skill's examples. - Sanitization: Uses
jqfor parsing andtr -d '\0'for basic cleanup in plain text extraction, but does not perform semantic validation of document content.
Audit Metadata