Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill is built around executing shell commands via the
emailCLI tool to perform mailbox operations. - [CREDENTIALS_UNSAFE]: The configuration workflow (
email config --password "app-password") accepts passwords as command-line arguments, which can be logged in shell history. Furthermore, the skill's documentation explicitly notes that the CLI tool stores these passwords in plain text on the local filesystem. - [EXTERNAL_DOWNLOADS]: The skill instructions include downloading and installing the
@lyhue1991/email-clipackage from the NPM registry. - [PROMPT_INJECTION]: The skill processes untrusted content from external emails, which presents an indirect prompt injection surface.
- Ingestion points: Incoming emails (headers and bodies) are ingested through the
email receivecommand (found in SKILL.md). - Boundary markers: There are no mentioned delimiters or safety instructions to prevent the agent from following commands embedded in email content.
- Capability inventory: The skill has the ability to send data over the network (
email send) and write files to the local disk (email receive --attachments). - Sanitization: No content sanitization or validation steps are described for the received email data.
Audit Metadata