apple-mail
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script uses
sqlite3to query the local Apple Mail 'Envelope Index' database. While it implements basic single-quote escaping for search filters (e.g.,--from,--subject), it does not use fully parameterized queries, which is a common pattern for local CLI tools but poses a minor risk if inputs are not strictly controlled. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It ingests untrusted data from external emails (subject lines, bodies, and attachments) which are then presented to the agent.
- Ingestion points: Reads email metadata, summaries, and raw RFC822 content from
~/Library/Mailviaapple-mail.sh(commandssearch,info,read). - Boundary markers: None identified in the script output or tool definitions to separate email content from instructions.
- Capability inventory: The agent can perform local file reads (
read), directory listing (mailboxes), and file extraction to/tmp(attachment). - Sanitization: The script performs basic SQL escaping but does not sanitize the content of the emails themselves before they are processed by the LLM.
- [DATA_EXPOSURE]: The skill explicitly targets sensitive user data (personal emails and attachments). While this is the stated primary purpose of the skill, it creates a high-value target for exfiltration if the agent is subsequently compromised or tricked by malicious email content.
Audit Metadata