google-workspace
Pass
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) because its primary purpose is to process data from external, untrusted sources such as Google Forms, Gmail messages, and Docs. This data is used to drive downstream actions like scheduling meetings or sending emails.
- Ingestion points:
scripts/gws-helper.pyand the workflows described inSKILL.mdingest data from the Gmail API, Forms API, and Drive files. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the prompt instructions to protect the agent from malicious content in the ingested data.
- Capability inventory: The skill has powerful capabilities, including file creation, file sharing, email sending, and domain administration via the Admin SDK.
- Sanitization: There is no evidence of input validation or sanitization for retrieved external content before it is processed by the agent.
- [DATA_EXFILTRATION]: The
send_emailfunction inscripts/gws-helper.pyprovides the ability to send local files as attachments. While this is a standard feature for automation, it represents a potential exfiltration vector if the agent is manipulated into sending sensitive files (e.g., credentials, keys) from the local environment. - [EXTERNAL_DOWNLOADS]: The script
scripts/auth-setup.shautomatically installs several Python packages from the public PyPI registry. These are official Google libraries, which are well-known and generally safe, but involve fetching code from a remote repository during setup. - Evidence:
pip install --quiet google-api-python-client google-auth-httplib2 google-auth-oauthlib - [COMMAND_EXECUTION]: The skill includes a bash script (
scripts/auth-setup.sh) and a Python script (scripts/gws-helper.py) that perform environment configuration, dependency management, and file operations. This includes using `python3 - <<'PYEOF'` to execute inline Python code for processing sensitive JSON authentication tokens.
Audit Metadata