email-manager
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCREDENTIALS_UNSAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill repository contains a
cache/directory withemails.jsonandlast_summary.txtwhich expose sensitive private data. This data includes email subjects, sender addresses, and metadata from real accounts, such as security alerts from Alibaba Cloud, login codes for X and Polymarket, and GitHub notifications. - [CREDENTIALS_UNSAFE]: The
config/accounts.jsonfile contains hardcoded real-world email addresses (2067089451@qq.com,aaqwqaa68@gmail.com). While passwords are not present, exposing these addresses facilitates targeted attacks and violates user privacy. - [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection. It ingests untrusted data from external email subjects and bodies to generate AI summaries and reply drafts without using boundary markers or sanitization. An attacker could send a specially crafted email to influence the agent's behavior during summarization or to manipulate the content of generated drafts.
- Ingestion points:
scripts/email_client.pyfetches raw email headers and bodies. - Boundary markers: None; untrusted content is directly formatted into strings for the AI.
- Capability inventory: The skill has the ability to send emails (
scripts/send_email.py) and access the local password manager via subprocess (scripts/email_client.py). - Sanitization: No sanitization is performed beyond basic encoding correction and length truncation.
- [COMMAND_EXECUTION]: The
scripts/email_client.pyfile usessubprocess.runto execute the localpasspassword manager. While this is an intended integration for secure credential storage, it establishes a dependency on shell execution and access to the user's local security infrastructure.
Audit Metadata