agentmail
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via incoming emails.
- Ingestion points:
scripts/check_inbox.py(polling) andreferences/WEBHOOKS.md(webhook handlers) ingest message content from external senders. - Boundary markers: The provided code scripts do not include boundary markers or delimiters for untrusted content. The author addresses this risk in
SKILL.mdby suggesting the use of allowlists and separate review sessions. - Capability inventory: The skill can send emails (
scripts/send_email.py) and attach local files to outgoing messages. These capabilities could be exploited if an agent follows instructions embedded in a malicious incoming email. - Sanitization: No automated sanitization or filtering of incoming email content is implemented within the provided Python scripts.
- [DATA_EXFILTRATION]: The skill transmits email data and attachments to the vendor's API endpoint (
api.agentmail.to). While this is the intended functionality, it involves sending potentially sensitive user-provided content to an external service.
Audit Metadata