agent-email
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses
npxto dynamically fetch and execute the@clawemail/mail-clipackage from the npm registry at runtime. This package is the official tool provided by the ClawEmail service (NetEase) for managing Agent-specific mailboxes. - [REMOTE_CODE_EXECUTION]: The use of
npx --yes "@clawemail/mail-cli@latest"inscripts/mail-ops.shrepresents the execution of remote code from a package registry. As this targets a well-known service domain, it is considered standard functionality for the skill's purpose. - [COMMAND_EXECUTION]: The script
scripts/mail-ops.shexecutes several shell commands to initialize the mailbox service (claw_init), send messages (claw_send), and handle attachments (claw_download). It also performs local file system operations by writing configuration data to a.envfile. - [PROMPT_INJECTION]: The skill facilitates the ingestion of external, untrusted email content into the agent's context, which is a known vector for indirect prompt injection.
- Ingestion points: Raw email bodies and folder lists are retrieved via the
claw_bodyandclaw_listfunctions inscripts/mail-ops.sh. - Boundary markers: The instructions do not define delimiters or provide guidance to ignore potentially malicious instructions embedded within processed emails.
- Capability inventory: The skill possesses capabilities to send outgoing emails (
claw_send), download files (claw_download), and execute system commands via the mail CLI wrapper. - Sanitization: There is no evidence of sanitization or validation performed on the retrieved email content before it is passed to the agent.
Audit Metadata