outreach-sender
Pass
Audited by Gen Agent Trust Hub on Jun 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) as it processes untrusted data from external prospects to generate email content.
- Ingestion points: Prospect data and 'signals' (e.g., funding announcements, hiring posts, competitor mentions) are read from
memory/pipeline.jsonand interpolated into email templates. - Boundary markers: The instructions do not specify the use of delimiters or 'ignore' instructions when processing external data through the
cold-emailandhumanizerskills. - Capability inventory: The skill possesses the ability to send emails via the
orthGmail integration and communicates with the user via Telegram. - Sanitization: There is no evidence of explicit validation or sanitization of the prospect-supplied fields before they are used in the email drafting process.
- Mitigation: A robust 'Human In The Loop' (HITL) process is mandatory; the skill presents drafts for manual CEO approval via Telegram before any network operation (sending) occurs, significantly mitigating the risk of automated injection attacks.
- [COMMAND_EXECUTION]: The skill utilizes the
orthutility to execute shell commands (orth run gmail /send-email) for sending emails. The command construction involves dynamic interpolation of email bodies and recipient details into a JSON payload.
Audit Metadata