agentmail-mcp

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt shows concrete examples that embed the API key directly into JSON configs and shell commands (e.g., "AGENTMAIL_API_KEY": "YOUR_API_KEY" and export AGENTMAIL_API_KEY=your-api-key), which would require an LLM to include user-provided secret values verbatim when generating setup files or commands.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md defines tools that fetch and read user email content (e.g., get_thread, get_inbox, get_attachment) and includes example workflows like "Check my inbox for new messages" and "Reply to the latest email," meaning the agent will ingest untrusted, third‑party email messages that could contain instructions influencing its actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs clients to connect to the hosted MCP endpoint https://mcp.agentmail.to and to run/install "agentmail-mcp" via npx/pip, which fetches and executes remote code at runtime (npx/pip install), so external content can run code and influence agent behavior.