mailcli
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
@yupingwang/mailclipackage from the NPM registry. This package is an external dependency not associated with a recognized trusted organization or the author's own verified namespace, representing an unverified third-party software risk.\n- [CREDENTIALS_UNSAFE]: The documentation and workflow examples inreferences/install.mdandreferences/workflows.mdencourage users to provide sensitive email passwords and keyring passphrases as plain-text command-line arguments (--password) and environment variables (MAILCLI_AUTH_PASSWORD). This practice can expose credentials in shell history, process listings, and environment logs.\n- [COMMAND_EXECUTION]: The skill dynamically constructs and executes local shell commands using themailcliutility. While thescripts/build_mailcli_cmd.shscript employs basic argument quoting withprintf %q, the dynamic assembly of complex commands based on user input remains a significant risk factor.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its email processing capabilities.\n - Ingestion points: Reads untrusted email bodies and metadata using commands like
mailcli read <uid>andmailcli inbox list.\n - Boundary markers: The skill lacks delimiters or specific instructions to treat email content as untrusted data, increasing the risk that the agent will follow instructions embedded within an email.\n
- Capability inventory: The skill has the ability to send emails, delete messages, and modify configuration files, which could be abused if the agent is hijacked.\n
- Sanitization: There is no evidence of sanitization or filtering applied to external content before it is processed by the agent.
Audit Metadata