agent-email

Pass

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill uses npx to dynamically fetch and execute the @clawemail/mail-cli package from the npm registry at runtime. This package is the official tool provided by the ClawEmail service (NetEase) for managing Agent-specific mailboxes.
  • [REMOTE_CODE_EXECUTION]: The use of npx --yes "@clawemail/mail-cli@latest" in scripts/mail-ops.sh represents the execution of remote code from a package registry. As this targets a well-known service domain, it is considered standard functionality for the skill's purpose.
  • [COMMAND_EXECUTION]: The script scripts/mail-ops.sh executes several shell commands to initialize the mailbox service (claw_init), send messages (claw_send), and handle attachments (claw_download). It also performs local file system operations by writing configuration data to a .env file.
  • [PROMPT_INJECTION]: The skill facilitates the ingestion of external, untrusted email content into the agent's context, which is a known vector for indirect prompt injection.
  • Ingestion points: Raw email bodies and folder lists are retrieved via the claw_body and claw_list functions in scripts/mail-ops.sh.
  • Boundary markers: The instructions do not define delimiters or provide guidance to ignore potentially malicious instructions embedded within processed emails.
  • Capability inventory: The skill possesses capabilities to send outgoing emails (claw_send), download files (claw_download), and execute system commands via the mail CLI wrapper.
  • Sanitization: There is no evidence of sanitization or validation performed on the retrieved email content before it is passed to the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
May 20, 2026, 04:24 AM
Security Audit — agent-trust-hub — agent-email