agentmail
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (LOW): Indirect Prompt Injection surface. The skill is designed to ingest and process untrusted data from incoming emails, which could contain malicious instructions. \n
- Ingestion points: Incoming message content received via the
message.receivedevent inreferences/websockets.mdandreferences/webhooks.md, or fetched viaclient.inboxes.messages.getinSKILL.md.\n - Boundary markers: None are present in the SDK usage examples to distinguish email content from agent instructions.\n
- Capability inventory: The skill possesses write capabilities including sending messages (
client.inboxes.messages.send), creating inboxes, and managing webhooks, which could be autonomously triggered by the agent if it obeys instructions inside an email.\n - Sanitization: No content sanitization or validation logic is demonstrated in the examples.\n- [SAFE] (SAFE): Secure credential management. The skill documentation uses placeholders (
YOUR_API_KEY) or environment variables (process.env.AGENTMAIL_API_KEY) for authentication tokens.\n- [SAFE] (SAFE): Webhook integrity. The skill provides a robust implementation example for verifying HMAC SHA256 signatures inreferences/webhooks.md, ensuring that notifications originate from the trusted service.
Audit Metadata