The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its processing of untrusted data from emails via tools like gmail_read_email. Evidence: 1. Ingestion points: untrusted email content retrieved in SKILL.md and triage-framework.md. 2. Boundary markers: Security gate keywords are defined in triage-framework.md, but these serve as content filters rather than strict isolation. 3. Capability inventory: The agent has high-privilege capabilities including gmail_send_email and file write operations. 4. Sanitization: memory.py performs basic truncation but lacks comprehensive instruction-data separation.
[COMMAND_EXECUTION]: The skill utilizes dynamic context injection in SKILL.md (e.g., !uv run python scripts/memory.py) to execute local scripts at load time. These commands incorporate parameters influenced by user-supplied arguments, creating a potential vector for command injection if the execution environment lacks sufficient sanitization for interpolated variables.
[DATA_EXFILTRATION]: The skill possesses the combination of read access to sensitive email data and the ability to send emails externally (gmail_send_email). While this functionality is central to its purpose as a copilot, the risk of data exfiltration exists if the agent is manipulated via prompt injection to send sensitive contents to an external address.
[SAFE]: The skill demonstrates security best practices by implementing a mandatory 'Security Gate' to protect 2FA and password reset emails, and by strictly requiring user confirmation for destructive operations like label deletion or archiving.

email-whiz