self-evolving-crm
Pass
Audited by Gen Agent Trust Hub on Jun 21, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill is designed to access and process highly sensitive personal data, including the contents of the user's Gmail inbox/sent folders and Google Calendar events. While this is necessary for its stated purpose as a CRM, the broad scope of data access increases the risk profile.
- Evidence: The configuration requires
GMAIL_OAUTH_CREDENTIALSandGOOGLE_CALENDAR_CREDENTIALSfor full operation. - Evidence: The skill transmits processed data summaries and contact information to external well-known services including Telegram, Apollo.io, and Brave Search.
- Note: These behaviors are transparently documented as intended functionality.
- [PROMPT_INJECTION]: The skill is inherently vulnerable to indirect prompt injection due to its core function of processing untrusted external communications.
- Ingestion points: The
agent-data-collector.mdspecification details the extraction of data from Gmail (INBOX/SENT), Google Calendar attendees/descriptions, and meeting notes files. - Boundary markers: The LLM prompts used for data extraction (e.g., in
agent-action-extractor.mdandagent-relationship.md) do not implement explicit boundary markers or delimiters to protect against instruction override within the ingested data. - Capability inventory: The skill has the capability to write to local memory files, perform network operations to multiple APIs, and generate message drafts for the user to send.
- Sanitization: The
agent-data-collector.mdmentions stripping HTML tags from snippets, but no semantic sanitization or instruction filtering is applied to the raw content before LLM processing.
Audit Metadata