agent-mail

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). Yes — the skill instructs piping a raw GitHub-hosted install.sh (raw.githubusercontent.com/…/install.sh) from an unverified/unknown account into bash (the classic curl|bash pattern), which is a high-risk direct executable download; the 127.0.0.1:8765 and /mail URLs are just local service endpoints and not external download sources.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's AGENTS.md explicitly instructs agents to "SEARCH ONLINE" for third‑party library documentation and the system also supports loading exported mailboxes and attachments from public hosts (e.g., GitHub Pages / httpvfs chunked bundles referenced in the share/export and viewer plans), meaning the agent will fetch and interpret untrusted public web content as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill includes explicit curl | bash one-liners in its installation instructions that fetch and execute remote scripts at runtime (for example: https://raw.githubusercontent.com/Dicklesworthstone/mcp_agent_mail/main/scripts/install.sh?$(date +%s), https://raw.githubusercontent.com/steveyegge/beads/main/scripts/install.sh, and https://raw.githubusercontent.com/Dicklesworthstone/ultimate_bug_scanner/main/install.sh), which would run remote code and are presented as the recommended install path.