agentmail
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is designed to ingest and process text from external emails, which could contain malicious instructions for the agent.
- Ingestion points: Incoming messages are retrieved in
scripts/check_inbox.pyand received via webhooks as described inreferences/WEBHOOKS.md. - Boundary markers: The provided Python scripts do not implement delimiters or boundary markers for email content, though
SKILL.mdrecommends them as a defense layer. - Capability inventory: The agent has the capability to send emails (
scripts/send_email.py), read local files for attachments, and interact with external APIs like GitHub (references/EXAMPLES.md). - Sanitization: No input sanitization is performed within the provided Python scripts; however, the author provides a detailed TypeScript remediation example in
SKILL.mdfor filtering senders. - [EXTERNAL_DOWNLOADS]: The skill requires several standard third-party libraries for full functionality.
- Evidence: The documentation recommends installing
agentmail,python-dotenv,flask,ngrok,pdfplumber, andrequestsvia package managers. - [COMMAND_EXECUTION]: The skill includes scripts that perform network operations and file system access.
- Evidence:
scripts/send_email.pyreads files from local paths to create attachments and communicates withapi.agentmail.to.references/EXAMPLES.mddemonstrates workflows involving temporary file creation and interaction with the GitHub API.
Audit Metadata