agentmail-mcp

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md shows the AgentMail MCP exposes the agent to arbitrary, user-generated email content (see the "Available Tools" entries like get_thread, list_threads, get_attachment and example usage "Check my inbox for new messages" / "Reply to the latest email"), which the agent is expected to read and act on (e.g., reply_to_message/send_message), so untrusted third-party content can influence tool use and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes runtime commands that fetch and execute remote packages (e.g., "npx agentmail-mcp", which pulls code from the npm registry such as https://registry.npmjs.org/agentmail-mcp, and the pip option "pip install agentmail-mcp" from PyPI), so the skill will execute external code fetched at runtime and thus represents a required external dependency that executes remote code.