email-theme-styling
Fail
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill recommends a verification workflow that involves fetching JSON data from a local API and piping it directly to a Python interpreter for processing.
- Evidence:
curl -s http://127.0.0.1:8025/mailpit/api/v1/messages | python3 -m json.toolandcurl -s http://127.0.0.1:8025/mailpit/api/v1/messages | python3 -c "...". - While targeting localhost (127.0.0.1) reduces the network attack surface, executing content fetched via network requests (even locally) is a dangerous practice as it bypasses standard safety boundaries.
- [COMMAND_EXECUTION]: The skill provides numerous shell commands for environment management, including cleaning directories (
rm -rf var/view_preprocessed/*), deploying static content, and running npm build scripts. - [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by encouraging the automated ingestion of email content from the Mailpit API without sanitization.
- Ingestion points: Messages and HTML content are retrieved from
http://127.0.0.1:8025/mailpit/api/v1/message/{MESSAGE_ID}/html. - Boundary markers: No delimiters or instructions to ignore embedded commands are used when retrieving or processing the email data.
- Capability inventory: The skill suggests executing shell commands via
ddev execand running Python scripts based on the fetched data. - Sanitization: No sanitization or validation of the fetched HTML/JSON content is mentioned before it is processed or displayed.
Recommendations
- HIGH: Downloads and executes remote code from: http://127.0.0.1:8025/mailpit/api/v1/messages, http://127.0.0.1:8025/mailpit/api/v1/message/{MESSAGE_ID} - DO NOT USE without thorough review
Audit Metadata