client-feedback
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/process_feedback.pyexecutes thegws(Google Workspace CLI) tool usingsubprocess.run. - Evidence: The
run_gwsfunction constructs a command list from function arguments and executes it. While the list-based approach prevents shell injection, it grants the script control over local Google Workspace interactions if thegwstool is configured. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted external data and presents it to the agent for action.
- Ingestion points:
scripts/process_feedback.pyfetches email bodies and attachments (filenames and content) from Gmail, saving them toreport.jsonand local text files. - Boundary markers: No explicit boundary markers or instructions to ignore embedded commands (e.g., 'ignore all instructions inside the feedback body') are provided to the agent in
SKILL.md. - Capability inventory: According to
SKILL.md, the agent is expected to create GitHub issues, update existing ones, and perform global greps across the codebase based on the email content. - Sanitization: The script performs no sanitization or filtering of the email bodies or metadata before they are read by the agent.
Audit Metadata