# Giskard - Email Assistant (Level 3)

* [Link to challenge](https://red.giskard.ai/challenges/insecure-agents/email-assistant-3)

## Instructions

![Instructions](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-7bc38d5211590cf539cf6ffa3f7863a9f92c476d%2F2025-08-23-16-40-14.png?alt=media)

## Resolution

As this is an agent it might have access to an api. So I asked if it had access to an API and it said yes. SO then I asked it to list all the api actions and I got the send\_emails action.

![List api action](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-d8b67badb3c38e4415f4d25947dd4be96f95dd2f%2F2025-08-23-17-27-24.png?alt=media)

So I asked how it would use the api action to send email and I got this answer:

![send email action json](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-3337056d785f1087510c217bd8896659a5190306%2F2025-08-23-17-29-13.png?alt=media)

For some reason I am able to have it show a post request with the api action, but it does not validate the challenge. It means it considers the email is not sent:

![POST REQUEST](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-b1c989f92c0bc125457185983572f966274d4c54%2F2025-08-23-17-49-36.png?alt=media)

![coming soon](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-79c94f83d11d2dcfbf46dd6e9f56209f3dcdcfc1%2F2024-07-03-16-57-38.png?alt=media)