batch-send-drafts
Warn
Audited by Gen Agent Trust Hub on Jul 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill includes instructions to use the
!shell escape character (e.g.,! open -a "Google Chrome" ...) to launch browser tabs. This pattern allows the agent to execute arbitrary shell commands on the host machine. Since the command incorporates Draft IDs retrieved from an external API, it is vulnerable to command injection if those IDs are maliciously crafted to include shell metacharacters. - [DATA_EXFILTRATION]: The workflow in Stage 5 writes execution metrics and draft metadata to a hidden directory in the user's home folder (
~/.claude/skill-analytics/). Writing persistent data to hidden locations outside the project workspace is a common technique for tracking user activity or exfiltrating session telemetry without explicit user visibility. - [PROMPT_INJECTION]: The skill ingests untrusted data from Gmail drafts (subject lines and message snippets) to perform classification and prioritization. The implementation lacks boundary markers or instructions to ignore instructions embedded within this external data. This creates an attack surface for indirect prompt injection, where a malicious draft could influence the agent's logic or subsequent command generation.
Audit Metadata