Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable because it ingests untrusted data and has significant side-effect capabilities.
- Ingestion points: External content is read through
google_gmail_get(email bodies) andgoogle_drive_get_file(file contents) as defined in SKILL.md. - Boundary markers: Absent. There are no instructions provided to the agent to treat external content as data only or to ignore embedded instructions.
- Capability inventory: The skill includes powerful write/execute-equivalent tools such as
google_gmail_send,google_calendar_create_event, andgoogle_tasks_delete(SKILL.md). - Sanitization: There is no evidence of sanitization, filtering, or validation of the content retrieved from Google services before it is processed by the agent.
- [Data Exfiltration] (MEDIUM): The
google_gmail_sendtool facilitates the transmission of data to external recipients. If an attacker successfully performs an indirect prompt injection via a received email or shared file, they could instruct the agent to exfiltrate sensitive information from Drive or Contacts via the email tool.
Recommendations
- AI detected serious security threats
Audit Metadata