postmark-inbound

Warn

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill processes untrusted content from incoming emails via Postmark webhooks.
  • Ingestion points: Untrusted data enters the agent context through fields like TextBody, HtmlBody, and StrippedTextReply as documented in references/payload-structure.md.
  • Boundary markers: The documentation and examples do not include boundary markers or "ignore embedded instructions" warnings for the processed email content.
  • Capability inventory: The skill includes file system write capabilities (fs.writeFileSync) and network API interactions (curl, postmark library) as shown in references/handler-examples.md and references/inbound-api.md.
  • Sanitization: There is no evidence of sanitization or validation of the email content before it is processed or stored.
  • [COMMAND_EXECUTION]: The code examples in references/handler-examples.md demonstrate insecure file handling. Specifically, the attachment processing function uses path.join('/tmp/attachments', attachment.Name) to determine the destination path. Since attachment.Name originates from the untrusted webhook payload, this pattern is vulnerable to path traversal attacks, potentially allowing an attacker to write files to arbitrary locations on the file system by providing a malicious filename (e.g., using '../' sequences).
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 19, 2026, 12:52 AM
Security Audit — agent-trust-hub — postmark-inbound