Skills
skills/dicklesworthstone/mcp_agent_mail/agent-mail/Gen Agent Trust Hub

agent-mail

Fail

Audited by Gen Agent Trust Hub on Apr 28, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The installer script (scripts/install.sh) and README documentation recommend piping remote shell scripts directly into bash or sh from a non-trusted repository (e.g., https://raw.githubusercontent.com/Dicklesworthstone/mcp_agent_mail/main/scripts/install.sh).
  • [COMMAND_EXECUTION]: Extensive use of subprocess.run and subprocess.check_output across core logic (src/mcp_agent_mail/guard.py, src/mcp_agent_mail/storage.py) and various scripts to interact with the git CLI and other system commands.
  • [DATA_EXFILTRATION]: The send_message tool can be configured to allow absolute filesystem paths in attachments (controlled by the ALLOW_ABSOLUTE_ATTACHMENT_PATHS setting). When enabled, this creates a filesystem read primitive allowing agents to potentially exfiltrate any file accessible to the server process.
  • [PERSISTENCE_MECHANISMS]: Integration scripts such as scripts/integrate_claude_code.sh modify user shell profiles (.bashrc, .zshrc) to add aliases and environment variables. The skill also installs persistent Git hooks (pre-commit, pre-push) into repositories to enforce coordination rules.
  • [PRIVILEGE_ESCALATION]: The scripts/install.sh script utilizes sudo to install system-level dependencies like jq through various package managers.
  • [CREDENTIALS_UNSAFE]: A hardcoded authentication token is present in the .claude/settings.json file (AGENT_MAIL_TOKEN='dc5029ac32a9f350508a565af683205cf99f25c896b07c07bc53a9517877ce8c').
  • [INDIRECT_PROMPT_INJECTION]: The skill has a significant attack surface as it ingests untrusted message data from agents via fetch_inbox and provides high-privilege tools such as install_precommit_guard and file_reservation_paths which can influence the behavior of other agents.
  • [EXTERNAL_DOWNLOADS]: Multiple scripts download and execute content from external domains including github.com and astral.sh for dependency installation and configuration.
  • [PROMPT_INJECTION]: The AGENTS.md file contains strong behavioral overrides (e.g., 'RULE NUMBER 1 (NEVER EVER EVER FORGET THIS RULE!!!): YOU ARE NEVER ALLOWED TO DELETE A FILE...') that attempt to fundamentally alter standard AI agent safety and operational protocols.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/Dicklesworthstone/mcp_agent_mail/main/scripts/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 28, 2026, 08:06 PM