apple-mail-search
Warn
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
apple-mail-search-clipackage via npm. This package is hosted in a repository (github.com/gumadeiras/apple-mail-search-cli) that is not associated with a trusted vendor or the skill's stated author, representing an unverified third-party dependency. - [COMMAND_EXECUTION]: The skill relies on executing the
fruitmailCLI tool to interact with the local operating system. This tool is granted the capability to query and read data from the user's local file system. - [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by ingesting untrusted data from email bodies via the
fruitmail bodycommand. - Ingestion points: Email content is retrieved through the
fruitmail body <id>command. - Boundary markers: None identified; the skill does not wrap the email content in delimiters or provide instructions to the agent to ignore embedded commands.
- Capability inventory: The skill has the capability to execute shell commands (
fruitmail) and read sensitive local files. - Sanitization: There is no evidence of sanitization or filtering of the email content before it is processed by the agent.
- [DATA_EXFILTRATION]: The skill is designed to access highly sensitive information stored in the Apple Mail envelope index at
~/Library/Mail/V{9,10,11}/MailData/Envelope Index. While it claims to be read-only, the exposure of this data to an AI agent constitutes a significant privacy risk if the agent is subsequently directed to transmit information externally.
Audit Metadata