The email assistant that can also send.
OWASP’s first official Excessive Agency scenario — the classic over-privileged plugin.
OWASP SCENARIO #1
Email Plugin with Read + Send Capability
An LLM-based personal assistant is granted access to a user’s mailbox to summarize incoming emails. The developer uses a third-party “full integration” plugin — read, search, compose, and send. Only read is needed. But send is registered and available. A maliciously crafted incoming email contains a hidden indirect prompt injection. The agent reads it, follows the injected instructions, scans the inbox for messages containing passwords or API keys, and forwards them to an external address — using the send function the agent never should have had.
Why it matters: The attacker never accessed the inbox directly. They delivered their payload inside a normal email. The agent’s legitimate mail-access credentials did the rest. Root cause: excessive functionality (send when only read was needed) compounded by excessive permissions (full mailbox scope).
The Fix
Use a read-only mail plugin. Authenticate via an OAuth scope that permits only reading — the send operation should be physically impossible with those credentials, not just blocked by the agent’s logic.