value-moment-email

Pass

Audited by Gen Agent Trust Hub on Jun 16, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection during the email drafting phase. It retrieves properties like primary_resource_name and org_name from PostHog, which are directly influenced by end-users. These values are then interpolated into the language model's prompt to generate a personalized email. A malicious user could craft a resource name containing instructions designed to hijack the agent's behavior during the drafting process.
  • Ingestion points: Untrusted data enters via the PostHog query in SKILL.md (Step 2), specifically the primary_resource_name, provider_type, and org_name fields.
  • Boundary markers: The skill lacks delimiters or explicit instructions to the model to ignore potential commands embedded within the retrieved event data.
  • Capability inventory: The skill uses composio-gmail to send the generated content, providing a path for the injection to reach external recipients if the human-in-the-loop review (Step 6) is bypassed or ineffective.
  • Sanitization: No sanitization, validation, or escaping logic is applied to the external data before it is used in the prompt construction.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 16, 2026, 06:24 PM
Security Audit — agent-trust-hub — value-moment-email