agentmail
Pass
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: During installation, the
npm/scripts/postinstall.jsscript fetches a platform-specific binary from the official vendor repository on GitHub (github.com/agentmail-to/agentmail-cli). This is a documented and standard distribution mechanism for this service. - [COMMAND_EXECUTION]: The package invokes system utilities including
tar,unzip, orpowershellto extract downloaded assets. The CLI also executes the system pager (e.g.,less) when handling large data streams for user display. - [PROMPT_INJECTION]: (Category 8: Indirect Prompt Injection surface) The skill's architecture presents a vulnerability surface where external data could influence sensitive operations.
- Ingestion points: The agent is instructed to provide string values for email parameters such as
--subject,--text, and--htmlusing data often sourced from untrusted external contexts (e.g., incoming email summaries or user-provided messages). - Boundary markers: Absent. The instructions do not define delimiters or specific 'ignore instructions' warnings for external data interpolation.
- Capability inventory: The CLI implementation in
pkg/cmd/flagoptions.goincludes a feature that automatically reads and embeds the contents of local files when a parameter is prefixed with@,@file://, or@data://. When combined with the tool's ability to send network requests to the AgentMail API, this creates a read-and-exfiltrate capability. - Sanitization: Absent. The CLI logic does not appear to strip or validate the
@prefix from input strings before processing them as potential file system paths.
Audit Metadata