email-manager
Fail
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: Exposure of personal identifiable information and sensitive email data within the skill's distributed files.\n
- The file
config/accounts.jsoncontains specific, hardcoded email addresses (2067089451@qq.com,aaqwqaa68@gmail.com).\n - The file
cache/emails.jsoncontains cached email metadata including subjects and sender information from real-world accounts, which constitutes a data leak in a skill distribution context.\n- [COMMAND_EXECUTION]: Local command execution for credential management.\n - The script
scripts/email_client.pyusessubprocess.runto call thepassutility to retrieve account passwords, which is a local command execution of a system tool.\n- [PROMPT_INJECTION]: Vulnerability to indirect prompt injection from untrusted external data.\n - Ingestion points: Email subjects and bodies are fetched from remote IMAP servers in
scripts/email_client.py.\n - Boundary markers: The skill lacks delimiters or instructions to prevent the AI from obeying commands embedded in email content during summarization or drafting.\n
- Capability inventory: The skill can send emails via SMTP (
scripts/send_email.py) and perform AI-driven content generation.\n - Sanitization: No sanitization or filtering is applied to the email content before it is processed by the AI.
Recommendations
- AI detected serious security threats
Audit Metadata