agentmail
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted data from incoming emails, which presents an indirect prompt injection surface where an external sender could attempt to manipulate the agent's behavior.
- Ingestion points: Untrusted data enters the system through email message text and subjects processed via webhooks as described in
references/WEBHOOKS.md. - Boundary markers: The documentation in
SKILL.mdprovides recommendations for implementing sender allowlists and using untrusted content markers, but these are not natively enforced by the skill's implementation. - Capability inventory: The skill allows the agent to send emails, reply to threads, and manage inboxes via the
agentmail-cliscript and Python SDK. Examples inreferences/EXAMPLES.mdalso demonstrate potential integration with GitHub and Slack. - Sanitization: No automatic sanitization or validation of the email body is performed by the skill; remediation steps are provided for the user to implement custom filtering logic.
- [EXTERNAL_DOWNLOADS]: The skill relies on external libraries for its core functionality.
- Evidence: Installation instructions in
README.mdandreferences/WEBHOOKS.mdspecify dependencies onagentmail,flask,ngrok,python-dotenv,pdfplumber, andrequestsvia package managers.
Audit Metadata