inbound-cli
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions in
SKILL.mddirect the agent to install theinbound-clipackage globally usingnpm i -g. This command typically requires administrative privileges on many system configurations. - [COMMAND_EXECUTION]: The repository includes a
security-agentpackage that provides an HTTP wrapper for executing administrative and abuse-handling commands (e.g.,/abuse-block), as documented in its README. - [EXTERNAL_DOWNLOADS]: The root skill and the nested
react-doctorskill instruct the agent to fetch and execute packages from the official NPM registry (inbound-cliandreact-doctor). NPM is a well-known and trusted service registry. - [PROMPT_INJECTION]: The skill facilitates the processing of incoming email bodies, which are untrusted external data sources, creating a surface for indirect prompt injection (Category 8).
- Ingestion points: Untrusted data enters the agent's context through incoming email bodies stored in the
parsed_emailsandstructured_emailsdatabase tables. - Boundary markers (absent): The provided skill instructions do not specify the use of delimiters or instructions to ignore embedded commands within email content.
- Capability inventory: The agent is empowered to list, retrieve, and modify email data using the
inboundCLI and can potentially trigger actions through thesecurity-agentandprompt-supportmodules. - Sanitization (absent): There is no explicit requirement in the skill body for the agent to sanitize or escape untrusted content before interpretation.
Audit Metadata