apple-mail-search
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses highly sensitive local database files located at
~/Library/Mail/V{9,10,11}/MailData/Envelope Index. This database contains the user's complete email metadata history, including subjects, sender identities, and recipient lists. While this access is required for the skill's primary function, it exposes private communication records to the agent context. - [COMMAND_EXECUTION]: The skill relies on the execution of the
sqlite3binary and a custommail-searchutility. It provides instructions for executing raw SQL queries, which could be exploited if the agent interpolates search terms without strict validation. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface because it processes untrusted data from incoming emails.
- Ingestion points: Email metadata (subjects, sender names, and attachment filenames) is retrieved from the local database and provided to the agent.
- Boundary markers: No specific boundary markers or instructions to ignore embedded commands are used when presenting retrieved metadata to the agent.
- Capability inventory: The skill executes local binaries and database queries.
- Sanitization: No sanitization is performed on the retrieved metadata, allowing potentially malicious email subjects to influence the agent's behavior or decision-making.
Audit Metadata