Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes external, untrusted data from email accounts.
- Ingestion points: Functions like
email::get(which returns parsed HTML/text bodies) and theemail::new-mailtrigger (which provides message snippets) ingest untrusted content into the agent's context. - Boundary markers: The specification does not define clear boundary markers or instructions for the agent to distinguish between its system instructions and the untrusted data found within email messages.
- Capability inventory: The skill exposes powerful capabilities such as
email::send,email::move, andemail::flag, which could be maliciously invoked if an agent is tricked by instructions inside an email. - Sanitization: No content sanitization or filtering is mentioned to prevent the LLM from interpreting instructions contained in the email data.
- [DATA_EXFILTRATION]: The
email::sendcapability allows for the transmission of data to external SMTP endpoints. While this is the intended purpose, it serves as a potential exfiltration vector if an agent is compromised via indirect prompt injection from a received email. - [CREDENTIALS_UNSAFE]: The skill correctly manages sensitive information by not hardcoding credentials. It utilizes a secure pattern where secrets are fetched at runtime from the
harness/auth-credentialsworker, which is a verified vendor resource.
Audit Metadata