The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves untrusted content from email bodies and uses it to perform further actions without sanitization.
Ingestion points: Email message content is retrieved in Step 2 of SKILL.md using the gws gmail users messages get command.
Boundary markers: No delimiters or instructions to ignore embedded commands are present; the message body is directly interpolated into a new email template.
Capability inventory: The skill utilizes gws gmail +send in Step 3, providing a mechanism for data transmission.
Sanitization: There is no evidence of content escaping, validation, or filtering before the data is processed.
[DATA_EXFILTRATION]: The skill is designed to move sensitive email content from the user's inbox to an external email address. While this aligns with the stated purpose of a forwarding skill, it constitutes a movement of potentially private data to a fixed external destination.

recipe-forward-labeled-emails