inbox-triage
Pass
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) due to the processing of untrusted data from external emails.\n
- Ingestion points: The agent reads unread emails and attachments from the user's Gmail inbox to perform classification and drafting (SKILL.md).\n
- Boundary markers: The instructions lack explicit delimiters or warnings to the agent to treat email content as untrusted, which could allow instructions within an email to override the skill's logic.\n
- Capability inventory: The agent has the authority to create Gmail drafts, write files to the local system (configuration and reports), post to Slack, and set up recurring scheduled tasks (SKILL.md).\n
- Sanitization: There is no mention of sanitizing or escaping the content of emails or attachments before they are used in drafts or reports.\n
- Remediation: To mitigate this risk, email content should be wrapped in clear delimiters with instructions to the agent to ignore any embedded commands. The skill already implements a 'human-in-the-loop' check by only creating drafts and not sending emails automatically.
Audit Metadata