Skills
skills/timothy-node/openclaw-email-channel/email-channel/Gen Agent Trust Hub

email-channel

Warn

Audited by Gen Agent Trust Hub on Feb 24, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The outbound.sendText and deliver callback functions in src/channel.ts allow the agent to attach files to outgoing emails by providing a filePath. This enables the agent to read and transmit any file on the local filesystem that the process has permissions to access.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from incoming emails (Category 8).
  • Ingestion points: Incoming email bodies and attachments are parsed in the processInbox function within src/channel.ts and dispatched to the AI runtime.
  • Boundary markers: There are no boundary markers or 'ignore embedded instructions' warnings used when passing the email body to the agent context.
  • Capability inventory: The agent has the capability to send emails with arbitrary attachments via SMTP and write received attachments to the local disk using fs.writeFileSync.
  • Sanitization: The skill performs utility-based cleaning (stripping quoted replies) but does not sanitize the input for malicious instructions or hidden prompts.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 24, 2026, 06:55 AM