recoup-internal-task-email-audit

Warn

Audited by Gen Agent Trust Hub on Jul 17, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [DATA_EXFILTRATION]: The skill instructions define a workflow to pull production environment variables from Vercel into a temporary file (/tmp/prod.env) to extract the TRIGGER_SECRET_KEY using shell parsing. This pattern exposes sensitive production credentials to the agent's execution environment.
  • [COMMAND_EXECUTION]: The skill utilizes several shell commands including vercel env pull, grep, and rm for credential management, and node to execute the bundled scripts/fetch_task_runs.mjs script.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests and processes untrusted data from email logs and agent chat history.
  • Ingestion points: Reads content from public.email_send_log.raw_body and public.chat_messages.parts within the Supabase database.
  • Boundary markers: No delimiters or instructions to ignore embedded content are present in the provided queries or processing logic.
  • Capability inventory: The skill has the ability to execute shell commands (bash, node) and perform database operations (execute_sql).
  • Sanitization: Content is extracted using regular expressions and JSON elements without explicit validation or sanitization of potential embedded instructions.
  • [EXTERNAL_DOWNLOADS]: The scripts/fetch_task_runs.mjs script makes network requests to the Trigger.dev Management API (api.trigger.dev) to retrieve run history. Trigger.dev is a well-known service for task orchestration and management.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 17, 2026, 03:07 AM