The Agent Skills Directory

Data Exposure & Exfiltration (HIGH): The skill is designed to access and extract data from ~/Library/Mail/V10/MailData/Envelope Index. This path contains the user's entire email history, including subjects, sender identities, and full message content via .emlx files. While the skill claims no network requests are made, the data retrieved is passed directly into the AI agent's context, which may have its own exfiltration capabilities.
Indirect Prompt Injection (HIGH): The skill ingests untrusted data from external sources (incoming emails).
Ingestion points: search, recent, and read commands pull content from the Apple Mail database.
Boundary markers: None mentioned in the documentation; untrusted email content is likely interpolated directly into the agent's prompt.
Capability inventory: The agent can read full email bodies (read --id). If the agent has other capabilities (e.g., file system access, browser access, or API integrations), an attacker could send a malicious email that, when read by this skill, triggers unauthorized actions by the agent.
Sanitization: No evidence of sanitization or instruction-filtering for the email content is provided.
Privilege Escalation (MEDIUM): Accessing the ~/Library/Mail directory on modern macOS versions typically requires 'Full Disk Access' permissions. While the skill doesn't use sudo, it operates within a high-privilege context relative to standard user files.

apple-mail-search