agent-mail
Fail
Audited by Gen Agent Trust Hub on Jun 4, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The documentation and installation scripts promote the use of a one-line installer ("curl | bash") to fetch and execute content from GitHub. This includes downloading the author's own installation scripts from "raw.githubusercontent.com/Dicklesworthstone/mcp_agent_mail/" and dependency installers from "astral.sh" and other user repositories.
- [EXTERNAL_DOWNLOADS]: The project's installation process involves multiple downloads of external scripts and tools, including the "uv" package manager from "astral.sh" and the "beads" task tracking tools from GitHub.
- [COMMAND_EXECUTION]: The project's installation script modifies user shell configuration files ("
/.zshrc" and "/.bashrc") to add persistent aliases for starting the server and associated tools. Core logic also utilizes the "subprocess" module to execute shell commands like "git" and "uv" for repository management. - [PROMPT_INJECTION]: The skill's primary function as an inter-agent communication hub creates a surface for indirect prompt injection. 1. Ingestion points: untrusted message content enters the context via "fetch_inbox", "search_messages", and "summarize_thread" in "app.py". 2. Boundary markers: absent; no delimiters or instructions to ignore embedded commands are present in the processing logic. 3. Capability inventory: tools like "send_message" and "file_reservation_paths" provide write access, while shell aliases and hooks enable local command execution. 4. Sanitization: although the Web UI uses Bleach for HTML sanitization in "http.py", the inter-agent message content is not sanitized for potential instruction-based attacks.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/Dicklesworthstone/mcp_agent_mail/main/scripts/install.sh - DO NOT USE without thorough review
Audit Metadata