agentmail
Warn
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- Unverifiable Dependencies (MEDIUM): The skill requires the installation of the
agentmailPython package. This package is not from a trusted source or organization as defined in the security analysis guidelines, posing a supply-chain risk. \n- Indirect Prompt Injection (LOW): The skill is designed to ingest and process incoming emails, which can contain malicious instructions to subvert agent behavior. \n - Ingestion points: Incoming emails received via the AgentMail SDK (
client.inboxes.list,check_inbox.py) or real-time webhooks. \n - Boundary markers: Absent by default; the documentation recommends using 'untrusted markers' and allowlisting as manual implementation steps. \n
- Capability inventory: The skill provides capabilities to send emails (
client.inboxes.messages.send) and manage infrastructure (client.webhooks.create), which could be abused if an injection is successful. \n - Sanitization: A TypeScript allowlist filter is provided as a reference for
clawdbotusers, but no built-in sanitization is present in the base Python SDK usage.
Audit Metadata