nodemailer
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (LOW): The skill uses 'npm install nodemailer' to acquire the library. As 'nodemailer' is not on the explicit trusted sources list, this is noted as a low-severity external dependency.
- [PROMPT_INJECTION] (LOW): The skill has a surface for indirect prompt injection (Category 8). 1. Ingestion points: 'user.name' and 'user.email' in 'sendWelcomeEmail'. 2. Boundary markers: Absent. 3. Capability inventory: 'transporter.sendMail' (network/SMTP). 4. Sanitization: Not present in examples.
- [SAFE] (SAFE): No malicious code, obfuscation, or persistence mechanisms were detected. Credential management uses environment variables correctly.
Audit Metadata