email-manager
Warn
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill package contains a
cache/directory withemails.jsonandlast_summary.txt. These files contain actual email metadata from the author's personal/test accounts (2067089451@qq.comandaaqwqaa68@gmail.com), exposing private information including subject lines from Alibaba Cloud, GitHub security alerts, and news subscriptions. - [COMMAND_EXECUTION]: The
scripts/email_client.pyscript invokessubprocess.runto interact with thepassutility for retrieving credentials. While this is an intended and relatively secure design for credential storage, it involves executing shell commands with arguments derived from theconfig/accounts.jsonconfiguration file. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from external email sources to generate AI summaries and reply drafts.
- Ingestion points:
scripts/email_client.pyfetches email subjects and bodies from remote IMAP servers. - Boundary markers: The skill does not use delimiters or specific instructions to separate untrusted email content from the agent's core logic.
- Capability inventory: The skill has the capability to read/write local files (
scripts/check_email.py,scripts/reply_draft.py) and send emails via SMTP (scripts/send_email.py). - Sanitization: The code lacks sanitization or validation of the email body content, which could allow an attacker to influence the agent's summaries or draft responses through specially crafted emails.
Audit Metadata