outlook-emails-lawvable
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill connects to Microsoft Graph API (
graph.microsoft.com) to fetch emails and download attachments as part of its core functionality. - [DATA_EXFILTRATION]: The skill reads sensitive user data (emails and attachments). While no evidence of unauthorized exfiltration to third-party servers was found, the processing of this data is the primary purpose of the skill.
- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: Untrusted data enters the agent context via email bodies (
bodyPreview) and attachments downloaded byscripts/outlook_oauth.py. - Boundary markers: The script does not implement delimiters or 'ignore instructions' markers when passing email content to the agent.
- Capability inventory: The skill is designed to chain with other tools (e.g., NDA review, spreadsheet processing) as documented in
references/WORKFLOWS.md, meaning injected instructions in an email could potentially influence these downstream actions. - Sanitization: Filenames are sanitized to prevent path traversal in
download_attachment(), but the content of emails and documents is not sanitized before being processed by the agent. - [CREDENTIALS_UNSAFE]: A hardcoded
CLIENT_IDis present inscripts/outlook_oauth.py. However, this is a public client ID for OAuth2, which is intended to be public in CLI applications and does not represent a leaked secret. - [PRIVILEGE_ESCALATION]: Documentation in
references/AZURE_SETUP.mdinstructs users to grantMail.ReadWriteandMail.Sendpermissions. While the script currently only requests read-only scopes (Mail.Read), following the setup guide results in over-privileging the application, increasing the impact of potential exploitation.
Audit Metadata