Skills
skills/agentmail-to/agentmail-claude-skill/agentmail/Gen Agent Trust Hub

agentmail

Pass

Audited by Gen Agent Trust Hub on Apr 11, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill recommends installing vendor-owned packages agentmail and agentmail-toolkit from standard registries like PyPI and NPM.
  • [COMMAND_EXECUTION]: The documentation provides standard setup commands including pip install and npm install for managing dependencies.
  • [DATA_EXFILTRATION]: The skill manages communication data via the AgentMail API. A potential security risk is identified in references/examples.md (Pattern 7), which demonstrates saving email attachments using the unsanitized filename attribute from the message payload, which could lead to path traversal vulnerabilities if implemented without validation.
  • [PROMPT_INJECTION]: The skill demonstrates a surface for indirect prompt injection where untrusted external data influences agent behavior. 1. Ingestion points: Raw email bodies are ingested via webhooks in SKILL.md and references/examples.md. 2. Boundary markers: The example code lacks delimiters or instructions to ignore embedded commands within the email text. 3. Capability inventory: The agent is equipped with tools to send, reply to, and list messages, providing an exploitation path if the agent is compromised. 4. Sanitization: There is no evidence of sanitization or filtering of the email["text"] content before it is interpolated into the prompt for the LLM.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 11, 2026, 08:40 PM
Security Audit — agent-trust-hub — agentmail