Skills
skills/cshen/skills/mail139/Gen Agent Trust Hub

mail139

Pass

Audited by Gen Agent Trust Hub on Mar 15, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script uses subprocess.run to invoke the lynx binary for HTML-to-text conversion.
  • Evidence: subprocess.run(["lynx", "--dump", "--stdin"], ...) in mail139.py.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from external emails and presents it to the agent without sufficient sanitization or boundary markers.
  • Ingestion points: Email content is fetched from imap.139.com via conn.uid("fetch", ...) in mail139.py.
  • Boundary markers: The output uses visual separators (===, ---) but lacks explicit instructions for the agent to disregard instructions contained within the email body.
  • Capability inventory: The skill can execute subprocesses and write files to the local filesystem.
  • Sanitization: While HTML tags are stripped via lynx or a basic parser, the resulting plain text is not filtered for natural language instructions that could manipulate agent behavior.
  • [DATA_EXFILTRATION]: The skill includes functionality to save attachments but does not sanitize the filenames provided in email headers, potentially allowing for path traversal attacks.
  • Evidence: dest = output_dir / fn in mail139.py (line 191) uses the filename directly from the email header without checking for directory traversal sequences like ../ or absolute paths.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 15, 2026, 07:09 AM