google-workspace-cli

Pass

Audited by Gen Agent Trust Hub on May 29, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: Fetches the @googleworkspace/cli package from the official npm registry and downloads additional persona-based skills and recipes from the googleworkspace GitHub organization to extend agent capabilities.
  • [COMMAND_EXECUTION]: Executes a comprehensive suite of shell commands via the gws CLI to interact with Google Workspace APIs for tasks like file management, email automation, and directory administration.
  • [DATA_EXFILTRATION]: Accesses sensitive information including Gmail messages, Drive files, and user directory data. This access is consistent with the skill's primary purpose of providing an administrative and productivity interface for Workspace.
  • [REMOTE_CODE_EXECUTION]: Includes the ability to push and execute code within the Google Workspace environment using Apps Script (gws apps-script-push and gws apps-script scripts run).
  • [PROMPT_INJECTION]: Provides a surface for indirect prompt injection when processing untrusted content from external Workspace resources.
  • Ingestion points: Untrusted data enters the agent context via commands like gws drive files get, gws gmail users messages get, and gws docs documents get.
  • Boundary markers: No explicit boundary markers or "ignore embedded instructions" delimiters are implemented in the instruction set for data processing.
  • Capability inventory: The skill has high-privilege capabilities including sending emails, deleting files, and managing administrative users.
  • Sanitization: The tool supports mitigation via the --sanitize flag and modelarmor helper commands, which utilize Model Armor templates to scan responses for injections.
  • [CREDENTIALS_UNSAFE]: Documents the use of OAuth access tokens and credentials files via environment variables. It specifies that local credentials are stored with AES-256-GCM encryption in the operating system's keyring.
Audit Metadata
Risk Level
SAFE
Analyzed
May 29, 2026, 03:05 AM
Security Audit — agent-trust-hub — google-workspace-cli