Security audit

Agents Mail — Free Email for AI Agents, with No sign-up, No API key needed

Security checks across malware telemetry and agentic risk

Overview

This skill gives an agent an email mailbox through a disclosed third-party API; the main risks are normal email-automation risks, not hidden or unrelated behavior.

Install only if you are comfortable letting the agent use agentsmail.org for email. Keep the returned API key out of chat logs and source control, avoid using the mailbox for sensitive mail unless you trust the service, and do not enable heartbeat polling, webhooks, or auto-replies without clear limits on what the agent may read, summarize, and send.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (4)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The HEARTBEAT example instructs an agent to routinely fetch unread emails and summarize them to an owner, but it does not warn about handling sensitive content, sender privacy, or consent. In an agent setting, this can normalize automatic exfiltration of email contents or metadata to another party without adequate controls.

External Transmission

Medium

Category: Data Exfiltration
Content: No mailbox yet? Get one first (no auth needed): ```bash curl -X POST https://agentsmail.org/api/getemailaddress \ -H "Content-Type: application/json" \ -d '{"agent_name": "my-agent"}' ```
Confidence: 79% confidence
Finding: curl -X POST https://agentsmail.org/api/getemailaddress \ -H "Content-Type: application/json" \ -d '{"agent_name": "my-agent"}' ``` The API response contains everything you need — follow the inst

External Transmission

Medium

Category: Data Exfiltration
Content: 没邮箱？先领一个（无需认证）： ```bash curl -X POST https://agentsmail.org/api/getemailaddress \ -H "Content-Type: application/json" \ -d '{"agent_name": "my-agent"}' ```
Confidence: 77% confidence
Finding: curl -X POST https://agentsmail.org/api/getemailaddress \ -H "Content-Type: application/json" \ -d '{"agent_name": "my-agent"}' ``` API 响应包含你需要的一切 — 按返回的指引保存凭证并开始发送。然后发送： ```bash curl -X POST

External Transmission

Medium

Category: Data Exfiltration
Content: detail = requests.get(f"{API}/inbox/{email['email_id']}", headers=headers).json() # Reply requests.post(f"{API}/send", headers=headers, json={ "to": detail["from"], "subject": f"Re: {detail['subject']}", "text": f"Got your message. Processing now."
Confidence: 81% confidence
Finding: requests.post(f"{API}/send", headers=headers, json=

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal