The Agent Skills Directory

[COMMAND_EXECUTION]: Directory Traversal. The save_attachment function in mail139.py uses the filename from the email header without sanitization to construct the destination path (output_dir / fn). An attacker could exploit this by sending an email with a maliciously crafted filename (e.g., ../../.bashrc) to overwrite arbitrary files on the system when the user or agent saves attachments.
[PROMPT_INJECTION]: Deceptive Metadata. The skill's description in SKILL.md claims support for any IMAP/SMTP provider and the ability to send emails, but the script is hardcoded for 139.com IMAP and contains no SMTP code. This misleading information could cause an agent to attempt unsupported operations or misjudge the tool's reliability.
[PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill fetches and processes untrusted email content, creating a risk that malicious instructions in an email could influence the agent's behavior. Ingestion points: Email headers and bodies fetched from 139.com via IMAP. Boundary markers: None identified in the skill instructions. Capability inventory: File system access (write) and subprocess execution (invoking lynx for HTML rendering). Sanitization: The tool performs HTML-to-text conversion but does not filter the semantic content for malicious instructions.

mail139