agentmail

Pass

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: Fetches and executes the agentmail-mcp package from the NPM registry via npx during setup.
  • [EXTERNAL_DOWNLOADS]: Requires the installation of the mcp package from the PyPI registry.
  • [PROMPT_INJECTION]: Identified an indirect prompt injection surface as the agent processes untrusted data from incoming emails.
  • Ingestion points: Untrusted content enters the agent's context through the get_thread and list_threads tools in SKILL.md.
  • Boundary markers: Absent; there are no instructions for the agent to distinguish between its own logic and instructions embedded in incoming emails.
  • Capability inventory: The agent has permissions to send_message, reply_to_message, create_inbox, and delete_inbox across SKILL.md.
  • Sanitization: No sanitization or validation of incoming email content is implemented or instructed.
Audit Metadata
Risk Level
SAFE
Analyzed
May 16, 2026, 01:44 PM
Security Audit — agent-trust-hub — agentmail