macos-mail
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill provides extensive access to sensitive user communications, including email bodies, subjects, sender information, and headers, through scripts such as
scripts/message/get.applescriptandscripts/message/list.applescript. - [PROMPT_INJECTION]: The skill has a significant attack surface for indirect prompt injection, where malicious instructions contained in incoming emails could be interpreted as commands by the AI agent.
- Ingestion points: Untrusted data enters the agent's context through scripts that read email content:
scripts/message/get.applescript,scripts/message/list.applescript, andscripts/message/search.applescript. - Boundary markers: Absent. There are no delimiters or system instructions to the agent to treat the fetched email body as untrusted content.
- Capability inventory: The skill provides powerful actions including sending emails (
scripts/message/send.applescript), replying (scripts/message/reply.applescript), and deleting messages (scripts/message/delete.applescript). - Sanitization: Absent. The email body content is retrieved and passed to the agent without any escaping or instruction filtering.
- [COMMAND_EXECUTION]: The skill relies on
osascriptto execute AppleScript, providing the agent with programmatic control over Mail.app. While arguments are handled throughargv, this interface allows for complex manipulation of the user's mail environment.
Audit Metadata