Pass
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (LOW): The skill is designed to ingest and process untrusted data from external email servers.
- Ingestion points:
fetch-emails.shandread-email.shretrieve content from IMAP servers. - Boundary markers: None. The scripts do not use delimiters or instructions to ignore embedded commands in email bodies.
- Capability inventory: The skill includes
send-email.sh, providing a direct channel for data exfiltration if the agent is manipulated. - Sanitization: No sanitization or escaping is performed on the email content before it is processed or displayed to the agent.
- Command Execution (SAFE): The shell scripts (
send-email.sh,fetch-emails.sh) usecurlto interact with mail servers. Variables are properly quoted (e.g.,"$TO","$SUBJECT"), which mitigates basic shell injection, though the skill relies on the upstream agent to provide valid inputs. - Credential Safety (SAFE): The skill demonstrates high security maturity by using
security find-generic-passwordto fetch credentials from the system Keychain at runtime rather than storing them in plain text configuration files.
Audit Metadata