apple-mail-search-2
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill is designed to access highly sensitive user data by querying the Apple Mail SQLite database located at
~/Library/Mail/V{9,10,11}/MailData/Envelope Index. This database contains private information including email subjects, sender/recipient identities, and attachment metadata. - [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands, including installation steps (
cp,chmod +x) and running a local binary (mail-search) orsqlite3to perform searches. - [PROMPT_INJECTION]: The skill facilitates indirect prompt injection by ingesting and processing untrusted data from external sources (the Mail database).
- Ingestion points: Email subjects, sender names, and attachment filenames retrieved from the
Envelope Indexdatabase. - Boundary markers: None. There are no instructions to the agent to treat the retrieved email content as untrusted data or to ignore instructions embedded within those strings.
- Capability inventory: The agent can execute shell commands, read local files, and potentially perform further actions based on the content of the emails it reads.
- Sanitization: No sanitization or validation of the retrieved email metadata is implemented or described.
Audit Metadata