Back to skill

Security audit

AgentMail Email

Security checks across malware telemetry and agentic risk

Overview

AgentMail is a disclosed email and webhook integration whose main risks are the expected privacy and automation risks of giving an agent email access.

Install only if you want an agent to send, receive, and automate email through AgentMail. Protect API keys, confirm recipients and attachments before sending, keep webhooks scoped to trusted endpoints, verify webhook signatures, allowlist trusted senders before triggering agent actions, and avoid forwarding full email bodies into public or shared systems without redaction and consent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs users to set and use `AGENTMAIL_API_KEY` via environment variables and code samples call `os.getenv(...)`, but the skill declares no permissions or capability metadata for env access. This creates a transparency and policy gap: an agent may access secrets at runtime without explicit declaration, making secret use harder to audit and constrain.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The skill description and use guidance are broad enough to match many generic email tasks, which can cause over-invocation of a powerful integration that can send/receive external messages and configure workflows. In practice, this increases the chance an agent routes unrelated requests into a high-impact skill, expanding the attack surface and enabling unintended outbound communication.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The example forwards sender identity and full email body content into a GitHub issue without any warning, consent check, redaction, or visibility control. In common deployments, GitHub issues may be accessible to a broader audience than the original email channel, creating a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The examples encourage automatically replying to and routing inbound email content based on untrusted sender-controlled fields such as subject, recipient, and message body, without prominently warning about privacy, spoofing, abuse, or unintended data disclosure. In an agent-oriented email platform, this can lead developers to forward sensitive content to third-party systems or trigger actions from malicious emails, increasing the chance of data leakage and workflow abuse.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The test webhook receiver logs the full webhook payload to stdout, which can include sender/recipient details, message previews, and potentially sensitive email content or metadata. In real developer environments, console output is often captured by terminals, CI logs, container logs, or centralized logging systems, so this creates an unnecessary data exposure risk even if the server is intended only for testing.

Ssd 3

Medium
Confidence
95% confidence
Finding
The code copies user-provided email text directly into an issue body, which can expose personal, confidential, or regulated data in plain language. Because inbound email is untrusted and often contains sensitive context, automatically publishing it to a potentially public tracker materially increases disclosure risk.

Session Persistence

Medium
Category
Rogue Agent
Content
---
name: agentmail
description: API-first email platform designed for AI agents. Create and manage dedicated email inboxes, send and receive emails programmatically, and handle email-based workflows with webhooks and real-time events. Use when you need to set up agent email identity, send emails from agents, handle incoming email workflows, or replace traditional email providers like Gmail with agent-friendly infrastructure.
---

# AgentMail
Confidence
76% confidence
Finding
Create and manage dedicated email inboxes, send and receive emails programmatically, and handle email-based workflows with webhooks and real-time events. Use when you need to set up agent email identi

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL.md:89