recoup-internal-task-email-audit
Warn
Audited by Gen Agent Trust Hub on Jul 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: The skill instructions define a workflow to pull production environment variables from Vercel into a temporary file (
/tmp/prod.env) to extract theTRIGGER_SECRET_KEYusing shell parsing. This pattern exposes sensitive production credentials to the agent's execution environment. - [COMMAND_EXECUTION]: The skill utilizes several shell commands including
vercel env pull,grep, andrmfor credential management, andnodeto execute the bundledscripts/fetch_task_runs.mjsscript. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests and processes untrusted data from email logs and agent chat history.
- Ingestion points: Reads content from
public.email_send_log.raw_bodyandpublic.chat_messages.partswithin the Supabase database. - Boundary markers: No delimiters or instructions to ignore embedded content are present in the provided queries or processing logic.
- Capability inventory: The skill has the ability to execute shell commands (
bash,node) and perform database operations (execute_sql). - Sanitization: Content is extracted using regular expressions and JSON elements without explicit validation or sanitization of potential embedded instructions.
- [EXTERNAL_DOWNLOADS]: The
scripts/fetch_task_runs.mjsscript makes network requests to the Trigger.dev Management API (api.trigger.dev) to retrieve run history. Trigger.dev is a well-known service for task orchestration and management.
Audit Metadata