agentmail
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill recommends installing a Node.js CLI tool
agentmail-clifrom an unverified source. This package is not hosted by a trusted organization or well-known service, posing a risk of untrusted code execution on the host system. - [DATA_EXFILTRATION]: The skill transmits sensitive data, including the
AGENTMAIL_API_KEYand third-party OAuth tokens (e.g., Gmail/Outlook), to an external API domain (api.openclaw.com). This domain is not recognized as a trusted or well-known service provider, which could lead to credential exposure. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted email content to perform actions like classification and response drafting.
- Ingestion points: Raw email content and metadata entered through CLI and API parameters (SKILL.md).
- Boundary markers: None; there are no instructions or delimiters specified to help the agent distinguish between administrative instructions and untrusted email body content.
- Capability inventory: Subprocess execution via CLI commands, network operations via
curlandfetch, and the ability to schedule/send emails. - Sanitization: No sanitization, escaping, or validation steps are mentioned for the email content before it is processed by the AI or the external service.
- [COMMAND_EXECUTION]: The documentation encourages shell-level automation, such as piping the output of external tools directly into other utilities (e.g.,
agentmail ... | jq). This pattern can be exploited if the external service returns a malicious payload intended to manipulate downstream command execution.
Audit Metadata