email-management-expert
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The README instructions recommend downloading a ZIP file from an untrusted source (github.com/patrickfreyer/apple-mail-mcp/releases) and unzipping it into a sensitive directory (~/.claude/skills/). This allows for the introduction of unverified code from an author not in the trusted scope.
- PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8). 1. Ingestion points: Untrusted content from incoming emails accessed via search_emails and get_recent_emails (referenced in examples/inbox-zero-workflow.md). 2. Boundary markers: Absent. No instructions are given to the agent to treat email content as untrusted data or ignore instructions within email bodies. 3. Capability inventory: High-impact tools including forward_email, manage_trash, reply_to_email, export_emails, and manage_drafts (referenced in examples/inbox-zero-workflow.md). 4. Sanitization: None. No escaping or validation is performed on external email content.
- COMMAND_EXECUTION (LOW): The skill documentation includes shell commands for installation (unzip, cp) and describes workflows using tools that perform file system and network operations related to email management.
Audit Metadata