Fail
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The configuration file
scripts/config.jsonstores email authentication codes and passwords in plain text for QQ and 163 mail services. - [DATA_EXFILTRATION]: The
send_emailfunctionality inscripts/email_manager.pyallows for reading arbitrary files from the filesystem and sending them as attachments, which could be used for data theft. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. Ingestion points: untrusted email content is retrieved via
receive_emailsandreceive_emails_sinceinscripts/email_manager.py. Boundary markers: none are used to isolate email data from agent instructions. Capability inventory: includes deleting emails (delete_email) and sending emails with attachments (send_email). Sanitization: only basic HTML tag stripping is performed in_html_to_text, leaving the agent vulnerable to instructions embedded in the email text.
Recommendations
- AI detected serious security threats
Audit Metadata