gmail-triage
Pass
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on the
@googleworkspace/cli(gws) tool and local scripts (extract_newsletter.py,mark_read.sh) to interact with the Gmail API. It executes these tools via shell commands to fetch, parse, and modify email data. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through incoming email content.
- Ingestion points: Untrusted data enters the agent's context when it fetches unread email bodies using
gws gmail users messages getas described inSKILL.md(Step 1 and Step 3). - Boundary markers: There are no explicit delimiters or instructions to the agent to ignore embedded instructions within the fetched email content during the summarization or categorization phases.
- Capability inventory: The skill possesses the capability to read all unread primary emails and modify their status (marking as read) using the
mark_read.shscript or directgwscommands. - Sanitization: The
extract_newsletter.pyscript performs basic HTML tag stripping and character limiting, but this does not prevent an attacker from embedding natural language instructions designed to manipulate the LLM's output or behavior.
Audit Metadata