postbox
Pass
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No malicious patterns or security vulnerabilities were identified during the analysis. All operations align with the intended purpose of the skill as a data collection operator.
- [CREDENTIALS_UNSAFE]: The skill enforces secure secret management by utilizing environment variables (POSTBOX_API_TOKEN) and includes a strict prohibition against accepting or displaying API keys in the chat session.
- [PROMPT_INJECTION]: Instructions specifically address and mitigate indirect prompt injection by requiring the agent to treat all data from submissions and API responses as untrusted, preventing the execution of embedded commands.
- [DATA_EXFILTRATION]: Network activity is restricted to the official vendor domain (usepostbox.com) for legitimate API operations. No attempts to access sensitive system files (e.g., SSH keys, AWS configs) or unauthorized data transfer were found.
- [REMOTE_CODE_EXECUTION]: The skill generates frontend integration code safely using local markdown-based templates, without downloading or executing any external or unverified scripts.
Audit Metadata