self-evolving-crm

Pass

Audited by Gen Agent Trust Hub on Jun 21, 2026

Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill is designed to access and process highly sensitive personal data, including the contents of the user's Gmail inbox/sent folders and Google Calendar events. While this is necessary for its stated purpose as a CRM, the broad scope of data access increases the risk profile.
  • Evidence: The configuration requires GMAIL_OAUTH_CREDENTIALS and GOOGLE_CALENDAR_CREDENTIALS for full operation.
  • Evidence: The skill transmits processed data summaries and contact information to external well-known services including Telegram, Apollo.io, and Brave Search.
  • Note: These behaviors are transparently documented as intended functionality.
  • [PROMPT_INJECTION]: The skill is inherently vulnerable to indirect prompt injection due to its core function of processing untrusted external communications.
  • Ingestion points: The agent-data-collector.md specification details the extraction of data from Gmail (INBOX/SENT), Google Calendar attendees/descriptions, and meeting notes files.
  • Boundary markers: The LLM prompts used for data extraction (e.g., in agent-action-extractor.md and agent-relationship.md) do not implement explicit boundary markers or delimiters to protect against instruction override within the ingested data.
  • Capability inventory: The skill has the capability to write to local memory files, perform network operations to multiple APIs, and generate message drafts for the user to send.
  • Sanitization: The agent-data-collector.md mentions stripping HTML tags from snippets, but no semantic sanitization or instruction filtering is applied to the raw content before LLM processing.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 21, 2026, 03:53 PM
Security Audit — agent-trust-hub — self-evolving-crm