google-workspace

Pass

Audited by Gen Agent Trust Hub on Jun 17, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) because its primary purpose is to process data from external, untrusted sources such as Google Forms, Gmail messages, and Docs. This data is used to drive downstream actions like scheduling meetings or sending emails.
  • Ingestion points: scripts/gws-helper.py and the workflows described in SKILL.md ingest data from the Gmail API, Forms API, and Drive files.
  • Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the prompt instructions to protect the agent from malicious content in the ingested data.
  • Capability inventory: The skill has powerful capabilities, including file creation, file sharing, email sending, and domain administration via the Admin SDK.
  • Sanitization: There is no evidence of input validation or sanitization for retrieved external content before it is processed by the agent.
  • [DATA_EXFILTRATION]: The send_email function in scripts/gws-helper.py provides the ability to send local files as attachments. While this is a standard feature for automation, it represents a potential exfiltration vector if the agent is manipulated into sending sensitive files (e.g., credentials, keys) from the local environment.
  • [EXTERNAL_DOWNLOADS]: The script scripts/auth-setup.sh automatically installs several Python packages from the public PyPI registry. These are official Google libraries, which are well-known and generally safe, but involve fetching code from a remote repository during setup.
  • Evidence: pip install --quiet google-api-python-client google-auth-httplib2 google-auth-oauthlib
  • [COMMAND_EXECUTION]: The skill includes a bash script (scripts/auth-setup.sh) and a Python script (scripts/gws-helper.py) that perform environment configuration, dependency management, and file operations. This includes using `python3
  • <<'PYEOF'` to execute inline Python code for processing sensitive JSON authentication tokens.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 17, 2026, 07:06 AM
Security Audit — agent-trust-hub — google-workspace