gws-workflow
Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the 'gws' binary and instructs the agent to execute shell commands with parameters dynamically constructed from API schemas.
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by ingesting untrusted data from external sources. 1. Ingestion points: Data from Gmail messages, Calendar events, and Drive files enters the agent context through methods like '+weekly-digest' and '+email-to-task'. 2. Boundary markers: The instructions lack explicit delimiters or warnings to ignore embedded instructions within the processed data. 3. Capability inventory: The agent has the ability to execute shell commands ('gws') to perform writes, such as creating tasks or announcing files in Chat. 4. Sanitization: There is no evidence of input sanitization, filtering, or escaping for the data retrieved from Google Workspace services.
Audit Metadata