imap-smtp-email
Pass
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) because it fetches and processes untrusted content from external email servers.
- Ingestion points: The
scripts/imap.jsfile fetches email subjects, plain text bodies, and HTML content using themailparserlibrary, which is then returned to the agent context. - Boundary markers: No explicit boundary markers or instructions to ignore embedded commands within email content are provided in
SKILL.md. - Capability inventory: The skill includes powerful capabilities such as sending emails (
scripts/smtp.js) and modifying email states (scripts/imap.js). These could be triggered by instructions found within a processed email. - Sanitization: While
mailparsercorrectly parses email structures, there is no sanitization or filtering logic to detect or neutralize natural language instructions embedded within the email text. - [DATA_EXFILTRATION]: The
scripts/smtp.jstool allows for attaching arbitrary local files to outgoing emails via the--attachparameter. An attacker could potentially exfiltrate sensitive files, such as the.envconfiguration file or SSH keys, by manipulating the agent into sending an email with these files attached. - [SAFE]: The skill implements a
setup.shscript to assist users in configuring their credentials locally. This is a standard and recommended practice for managing sensitive environment variables without hardcoding them into the skill logic. - [SAFE]: The use of
IMAP_REJECT_UNAUTHORIZEDandSMTP_REJECT_UNAUTHORIZEDflags allows users to connect to servers with self-signed certificates. While disabling certificate validation (setting tofalse) introduces a risk of Man-in-the-Middle (MITM) attacks, the default behavior and the documentation encourage secure configurations.
Audit Metadata