email-manager
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script executes local system commands to retrieve credentials.\n
- Evidence:
scripts/email_client.pyusessubprocess.run(['pass', 'show', path])to fetch passwords from the local password store.\n- [DATA_EXFILTRATION]: Sensitive user data is stored locally and potentially sent to external targets.\n - Evidence:
scripts/check_email.pyandscripts/email_client.pystore fetched email subjects and bodies incache/emails.jsonwithout encryption.\n - Evidence:
config/accounts.jsoncontains a hardcoded Telegram chat ID (notification_target) used for notifications, which may send sensitive email summaries to an external service.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via incoming emails.\n - Ingestion points:
scripts/email_client.py(viafetch_unreadandfetch_recent) reads untrusted email content from external senders.\n - Boundary markers: Absent. No delimiters or instructions are used to separate email content from system instructions in
scripts/reply_draft.py.\n - Capability inventory: The skill has the ability to send emails (
scripts/email_client.py) and read from a local password store.\n - Sanitization: Absent. The skill does not sanitize or filter email content before processing it for summaries or reply generation.
Audit Metadata