value-moment-email
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection during the email drafting phase. It retrieves properties like
primary_resource_nameandorg_namefrom PostHog, which are directly influenced by end-users. These values are then interpolated into the language model's prompt to generate a personalized email. A malicious user could craft a resource name containing instructions designed to hijack the agent's behavior during the drafting process. - Ingestion points: Untrusted data enters via the PostHog query in
SKILL.md(Step 2), specifically theprimary_resource_name,provider_type, andorg_namefields. - Boundary markers: The skill lacks delimiters or explicit instructions to the model to ignore potential commands embedded within the retrieved event data.
- Capability inventory: The skill uses
composio-gmailto send the generated content, providing a path for the injection to reach external recipients if the human-in-the-loop review (Step 6) is bypassed or ineffective. - Sanitization: No sanitization, validation, or escaping logic is applied to the external data before it is used in the prompt construction.
Audit Metadata