The Agent Skills Directory

PROMPT_INJECTION (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8) because its primary function is to process external, untrusted email data.
Ingestion points: Incoming emails are received via the agentmail API and processed through webhooks.
Boundary markers: The provided implementation in SKILL.md (specifically the email-allowlist.ts script) directly interpolates the email subject and body into the agent's prompt without using robust delimiters or sanitization.
Capability inventory: The skill allows the agent to send emails (messages.send), create inboxes, and trigger session 'wake' actions. This combination of external input and side-effect capabilities meets the HIGH severity criteria.
Sanitization: While the skill suggests an allowlist, it is a client-side implementation detail that does not mitigate the inherent risk of the agent obeying instructions contained within emails from 'trusted' but compromised sources or via sender spoofing.
EXTERNAL_DOWNLOADS (MEDIUM): The skill requires the installation of an unverified third-party Python package (agentmail) from PyPI (Category 4).
Evidence: The 'Quick Start' section in SKILL.md instructs the user to run pip install agentmail, which is not a package from a trusted organization or repository defined in the security protocol.
COMMAND_EXECUTION (MEDIUM): The skill directs the user to perform system-level configuration changes and script generation (Category 10).
Evidence: The 'Security' section in SKILL.md requires creating a new TypeScript file in ~/.clawdbot/hooks/ and modifying ~/.clawdbot/clawdbot.json. It also requires executing a service restart command (clawdbot gateway restart), which establishes a persistence and execution hook for processing incoming data.

agentmail