agentmail
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The
npm/scripts/postinstall.jsscript downloads a platform-specific binary (e.g.,agentmail_0.4.0_macos_arm64.zip) from the official vendor repository athttps://github.com/agentmail-to/agentmail-cli/releases. This is a standard distribution method for cross-platform Go binaries via NPM. - [COMMAND_EXECUTION]: The skill uses
child_process.execFileSyncinnpm/bin/agentmailto execute the downloaded binary. Additionally,pkg/cmd/cmdutil.gomay execute a local pager program (likeless) to display long outputs, which is standard CLI behavior. - [INDIRECT_PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection because it ingests untrusted data from external sources.
- Ingestion points: Commands like
inboxes:messages listandinboxes:messages retrieveinpkg/cmd/inboxmessage.gofetch email content from the AgentMail API. - Boundary markers: Explicit boundary markers or warnings to ignore embedded instructions are absent in the CLI output.
- Capability inventory: The skill has the capability to write files (downloading attachments in
pkg/cmd/cmdutil.go), execute subprocesses (launching a pager inpkg/cmd/cmdutil.go), and perform network operations (API requests). - Sanitization: The skill performs standard formatting (JSON, YAML, or Pretty-print) but does not specifically sanitize email bodies for LLM instruction markers.
Audit Metadata