Skills
skills/vanman2024/ai-dev-marketplace/email-delivery/Gen Agent Trust Hub

email-delivery

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: CRITICALDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • Data Exfiltration (CRITICAL): The skill implements a direct path for reading local filesystem data and transmitting it externally via the Resend API.
  • Evidence: In templates/attachment-email-template.ts, the sendWithFileAttachment function reads arbitrary file paths using fs.readFileSync(filePath) and immediately attaches them to an email via resend.emails.send.
  • Risk: An attacker can exploit this capability to exfiltrate sensitive files such as ~/.ssh/id_rsa, .env, or AWS credentials by directing the agent to 'attach' these files to an email.
  • Prompt Injection (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8) due to its handling of external URLs and email content.
  • Ingestion points: The fileUrl parameter in templates/attachment-email-template.ts (sendWithUrlAttachment function).
  • Boundary markers: Absent; there are no delimiters or 'ignore' instructions for the content retrieved from URLs.
  • Capability inventory: fetch (network read), fs.readFileSync (local read), and resend.emails.send (network write/email).
  • Sanitization: Absent; fetched URL content is converted directly to a buffer and transmitted without inspection or filtering.
  • Command Execution (LOW): The skill includes shell scripts intended for execution, which increases the local attack surface.
  • Evidence: scripts/validate-attachment.sh and scripts/validate-email.sh use local commands like stat, file, and grep to process input data.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 16, 2026, 11:30 AM