Back to skill

Security audit

AgentMail

Security checks across malware telemetry and agentic risk

Overview

This is a coherent AgentMail email-integration skill, but users should treat email contents, webhooks, and attachments as sensitive.

Install only if you intend to give an agent an email identity. Keep AGENTMAIL_API_KEY secure, verify recipients and attachments before sending, restrict webhook endpoints, avoid logging full payloads in shared environments, and redact or summarize email content before forwarding it to systems like GitHub or Slack.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill demonstrates access to environment variables via os.getenv("AGENTMAIL_API_KEY") but does not declare corresponding permissions. This creates a mismatch between documented capabilities and declared security boundaries, which can lead to over-trust and accidental secret exposure when the skill is executed in a broader agent environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example copies a sender's email address, message body, and thread metadata into a GitHub issue without any notice, consent, minimization, or visibility controls. This can expose personal or sensitive information to a separate system with different retention and access properties, especially if the repository is public or broadly accessible.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The webhook examples receive full inbound email data and then demonstrate automatically sending content derived from that inbound message back out, including subject lines, sender addresses, and in one case extracted attachment text. In an agent-email skill, this can normalize unsafe handling of user communications and sensitive data without any explicit privacy warning, consent guidance, minimization advice, or cautions against echoing confidential content to external systems or recipients.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The development test server logs the full webhook payload, which can include email metadata and potentially sensitive message content. In an email-handling skill, this increases the chance of accidental disclosure through terminal history, log collection systems, shared development environments, or support screenshots, even if the server is intended only for testing.

Ssd 3

Medium
Confidence
96% confidence
Finding
The workflow reposts incoming email text verbatim into a separate tracking system, which risks leaking secrets, personal data, or confidential business content contained in the email. Because emails are unstructured and may contain highly sensitive material, verbatim forwarding is unsafe by default unless content is filtered and users are informed.

Session Persistence

Medium
Category
Rogue Agent
Content
---
name: agentmail
description: API-first email platform designed for AI agents. Create and manage dedicated email inboxes, send and receive emails programmatically, and handle email-based workflows with webhooks and real-time events. Use when you need to set up agent email identity, send emails from agents, handle incoming email workflows, or replace traditional email providers like Gmail with agent-friendly infrastructure.
---

# AgentMail
Confidence
78% confidence
Finding
Create and manage dedicated email inboxes, send and receive emails programmatically, and handle email-based workflows with webhooks and real-time events. Use when you need to set up agent email identi

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL.md:89