agentmail
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted data from external emails, which serves as an ingestion point for indirect prompt injection.
- Ingestion points: The
scripts/check_inbox.pyscript and theagentmailSDK fetch message snippets, subjects, and headers from the AgentMail service into the agent's context. - Boundary markers: While the
SKILL.mdincludes a manual warning for the agent to treat incoming content as untrusted, no programmatic boundary markers or delimiters are implemented in the provided scripts to isolate external content. - Capability inventory: The skill provides capabilities to send emails through the
scripts/send_email.pyutility and the SDK, which could be exploited if the agent follows malicious instructions contained in received messages. - Sanitization: No programmatic filtering, sanitization, or validation of incoming email content is performed before it is presented to the agent.
Audit Metadata