postal
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The ability to target source code files (e.g., 'auth.py', 'engine.cpp') with 'mail' delivery enables arbitrary code injection. An attacker could send a message containing malicious code and address it to a critical script file or function (e.g., 'src/lib/utils.ts#fetchData').\n- [COMMAND_EXECUTION] (HIGH): The 'Universal Addressing' feature provides a 'Write-What-Where' primitive. Routing instructions such as 'create_message_file' and 'move_item' described in ROUTING.md can be directed at any pointer or file path in the environment, allowing for unauthorized modification of the filesystem.\n- [DATA_EXFILTRATION] (MEDIUM): The system permits 'mailing' content from sensitive paths or object references. This could be used to read and transmit sensitive data by addressing a read-source to an accessible 'inbox' or 'storage' directory.\n- [PROMPT_INJECTION] (LOW): The 'creates_goal' feature allows untrusted inputs from characters (NPCs) to inject instructions into the agent's task queue. This is a significant indirect prompt injection surface.\n
- Ingestion points: Character-controlled message bodies, 'from' fields, and 'creates_goal' blocks in YAML templates (README.md, CARD.yml).\n
- Boundary markers: Absent; messages are processed as trusted simulation data without delimiters or warnings.\n
- Capability inventory: File modification (create_message_file), inventory movement (move_item), and goal management (creates_goal).\n
- Sanitization: Absent; the system is designed to accept all pointer-based addresses as 'valid anyway'.
Recommendations
- AI detected serious security threats
Audit Metadata