Example report

IGLIGQ Trust Report: gmail-workflow-agent

This example shows the report structure. It is not an issued audit and should not be used as proof that any package is safe.

Example review output

gmail-workflow-agent

Agent Package · Medium confidence · Static analysis only · No code execution

72/100Review Required
Critical
0
High
2
Medium
4
Low
5
HighExternal service call requires reviewNET-002 · scripts/send.ts:42 · High
MediumPrompt surface may reduce oversightPROMPT-004 · SKILL.md:18-26 · Medium
Open example report

Artifact

Type
Agent Package
Scan date
2026-07-06
Example hash
sample-only-sha256-8f3a4c2d9b7e1a6c5d0e4f2a9b8c7d6e5f4a3b2c1d0e9f8a7b6c5d4e3f2a1b0

Dependency and Domain Review

Dependencies: mail-client ^2.8.0, yaml 2.7.0, tsx ^4.20.0

Domains: api.mailprovider.example, oauth.mailprovider.example

Review module

Capability Bill

A structured view of what the package appears able to read, write, call, execute or expose.

Capability evidence example
CapabilityActionSeverityConfidenceEvidence
Network accessCalls external mail APIHighHighscripts/send.ts -> fetch(api.mailprovider.example)
Filesystem writeWrites local export filesMediumMediumsrc/exporter.ts -> fs.writeFile(outputPath)
Prompt surfaceContains oversight-reduction wordingMediumMediumSKILL.md contains autonomous retry and approval-bypass language
Secrets handlingReads environment variablesMediumLowconfig/mail.ts -> process.env.MAIL_API_TOKEN

Review module

Claims vs Behavior

IGLIGQ compares stated purpose with visible behavior, permissions, external services and risky instructions.

Stated purpose

  • Summarizes Gmail threads
  • Drafts follow-up replies

Observed behavior

  • Calls external mail API
  • Writes local export files

Mismatch labels

  • External data transfer not disclosed
  • Storage behavior not disclosed

Risk Findings

HighNET-002

External service call requires review

The package appears to send workflow data to an external mail API. This can be legitimate, but it needs explicit disclosure and approval.

Evidence: scripts/send.ts:42

Recommendation: Disclose the destination domain, add an allowlist and require approval before outbound send actions.

MediumPROMPT-004

Prompt surface may reduce oversight

The instruction text appears to encourage autonomous retry behavior without a clear human approval checkpoint.

Evidence: SKILL.md:18-26

Recommendation: Add an explicit human approval gate for send, post, delete or external transfer actions.

Recommended Actions

  • Add permissions disclosure to the package manifest.
  • Pin dependencies and document external domains.
  • Request IGLIGQ Verified Audit before public listing.

Human review option

Verified Audit for public trust

Request a human-reviewed report when you need a public badge, procurement-ready PDF or enterprise private review. Review payment covers the audit process, not a guaranteed pass.