apple-mail
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill facilitates the ingestion of untrusted third-party content (emails) into the agent's context, which is a primary vector for indirect prompt injection. An attacker could send a malicious email that, when read or searched, attempts to hijack the agent's behavior.
- Ingestion points: Email subjects, bodies, and metadata are ingested via the
search,info, andreadcommands. - Boundary markers: Documentation does not specify the use of delimiters or instructions to ignore embedded commands within the email data.
- Capability inventory: The skill uses
apple-mail.shto perform file system reads and SQLite queries; the risk is compounded if the agent has broader system access or network capabilities. - Sanitization: No evidence of sanitization or filtering of email content before processing.
- [Data Exposure] (LOW): The skill is explicitly designed to access and extract data from Apple Mail's local storage (likely in
~/Library/Mail). While this is the stated purpose, it grants the agent access to highly sensitive personal and professional communication, which should be considered a high-risk capability.
Audit Metadata