pigeon
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: Indirect prompt injection surface detected. The skill displays message subjects and bodies from other sessions without sanitization, which could lead an agent to follow malicious instructions embedded in messages. \n
- Ingestion points: The read_mail, read_one, and thread functions in scripts/mail-db.sh retrieve and display message content from the global SQLite database at ~/.claude/pmail.db. \n
- Boundary markers: No boundary markers or instructions to ignore embedded commands are present when message content is presented to the agent. \n
- Capability inventory: The skill uses the Bash tool to interact with the filesystem, sqlite3 for database operations, and git for project identification. \n
- Sanitization: Input is escaped for database safety using sql_escape, but no sanitization or filtering is applied to the message text before display.
Audit Metadata