internal-comms
Pass
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes data from untrusted or attacker-controllable sources (Slack, Email, Documents) without adequate isolation or boundary markers.
- Ingestion points: Slack channels, Gmail/Email, and Google Drive documents are accessed by the agent to gather content (referenced in
references/examples/3p-updates.md,references/examples/company-newsletter.md, andreferences/examples/faq-answers.md). - Boundary markers: Absent. The instructions do not include delimiters or warnings to ignore instructions found within the retrieved data.
- Capability inventory: The agent reads sensitive communications and generates formatted reports/newsletters based on that content.
- Sanitization: Absent. There is no requirement for the agent to filter or escape the content it reads before processing or re-sharing it.
- [DATA_EXFILTRATION]: The skill explicitly directs the agent to locate and process highly sensitive internal information, including executive emails, project plans, and leadership updates. While intended for internal use, this deep access to organizational data increases the impact if the agent is compromised via indirect prompt injection.
Audit Metadata