agent-mail
Fail
Audited by Gen Agent Trust Hub on Jun 20, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The installation and recovery documentation in
references/INSTALL.mdandreferences/FIX-MCP-CONFIG.mdpromotes the use of thecurl | bashpattern to execute a remote shell script (install.sh) from theDicklesworthstone/mcp_agent_mailGitHub repository without local verification or checksum validation. - [CREDENTIALS_UNSAFE]: The
fix_cc_mcpscript provided inreferences/FIX-MCP-CONFIG.mdis designed to automatically scan sensitive local files, such as~/.claude.jsonand.envfiles, to extractHTTP_BEARER_TOKENauthentication credentials. - [EXTERNAL_DOWNLOADS]: The skill fetches and executes code from external GitHub repositories (
Dicklesworthstone/mcp_agent_mail,boshu2/mcp_agent_mail_rust) that are not recognized as trusted organizations or well-known services. - [COMMAND_EXECUTION]: The skill relies on extensive use of system shell commands (
am,uv run,npx) for core operations, including service management, database repairs, and installation tasks. - [PROMPT_INJECTION]: The skill implements tools that process untrusted external data (mailbox messages) which presents an indirect prompt injection surface.
- Ingestion points: External message content retrieved from the database via
fetch_inboxandsummarize_thread(inreferences/TOOLS.md). - Boundary markers: None identified in the instructions for separating untrusted message content from system instructions.
- Capability inventory: The agent has capabilities for file system reservations, shell command execution, and network communication.
- Sanitization: There is no mention of sanitization or filtering of message content before it is processed by the LLM.
Recommendations
- AI detected serious security threats
Audit Metadata