spark-recipe-shared-inbox-triage
Pass
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill defines several automated workflows using the
sparkCLI tool to perform email operations such as listing inbox items, reading threads, and assigning tasks. - [PROMPT_INJECTION]: The skill establishes an indirect prompt injection surface by requiring the agent to ingest and process content from external, untrusted sources (incoming emails).
- Ingestion points: External data enters the agent context through the
spark thread <id>command as described inSKILL.md. - Boundary markers: The instructions do not provide delimiters or specific guidance for the agent to distinguish between legitimate triage instructions and potentially malicious commands embedded in email bodies.
- Capability inventory: The agent possesses significant capabilities, including the ability to reply to emails (
spark draft), assign emails to team members (spark action assign), and add internal notes (spark comment). - Sanitization: No procedures for sanitizing or validating the content of the emails are mentioned before the agent is instructed to review and act on them.
Audit Metadata