skills/iii-hq/workers/email/Gen Agent Trust Hub

email

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes external, untrusted data from email accounts.
  • Ingestion points: Functions like email::get (which returns parsed HTML/text bodies) and the email::new-mail trigger (which provides message snippets) ingest untrusted content into the agent's context.
  • Boundary markers: The specification does not define clear boundary markers or instructions for the agent to distinguish between its system instructions and the untrusted data found within email messages.
  • Capability inventory: The skill exposes powerful capabilities such as email::send, email::move, and email::flag, which could be maliciously invoked if an agent is tricked by instructions inside an email.
  • Sanitization: No content sanitization or filtering is mentioned to prevent the LLM from interpreting instructions contained in the email data.
  • [DATA_EXFILTRATION]: The email::send capability allows for the transmission of data to external SMTP endpoints. While this is the intended purpose, it serves as a potential exfiltration vector if an agent is compromised via indirect prompt injection from a received email.
  • [CREDENTIALS_UNSAFE]: The skill correctly manages sensitive information by not hardcoding credentials. It utilizes a secure pattern where secrets are fetched at runtime from the harness/auth-credentials worker, which is a verified vendor resource.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 12:22 AM
Security Audit — agent-trust-hub — email