mcp_agent_mail
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill documentation instructs users to execute a provided shell script (
./mcp_agent_mail/scripts/server-health.sh) and a local CLI tool (agent-mail). While these appear to be internal tools, running unvetted shell scripts poses a risk of unintended system modifications or information disclosure. - [DATA_EXFILTRATION] (MEDIUM): The messaging system explicitly supports sending "rich content" including "files" and "attachments" (referenced in
README.md). If an agent is compromised or tricked via prompt injection, this capability can be used to exfiltrate sensitive local files to other agents or to theagent-mailserver (localhost:9743). - [PROMPT_INJECTION] (HIGH): As a multi-agent coordination hub, this skill is highly susceptible to Indirect Prompt Injection (Category 8).
- Ingestion points: Data enters the system via
tools.agent_mail.sendMessage(body/subject),tools.agent_mail.broadcast, andtools.agent_mail.registerAgent(capabilities/metadata). - Boundary markers: None identified in the provided TypeScript tool definitions or documentation templates.
- Capability inventory: The skill allows agents to "reserve" (lock) files (
tools.agent_mail.reserveFile), which can be used for Denial of Service (locking an agent out of its own codebase) if malicious instructions are processed. - Sanitization: There is no mention of input sanitization or validation for message content that will be processed by downstream agents.
Recommendations
- AI detected serious security threats
Audit Metadata