Back to skill

Security audit

Agent Mail Guard — Email Sanitizer for AI Agents

Security checks across malware telemetry and agentic risk

Overview

This is a defensive email and calendar sanitizer with disclosed Google Workspace wrapper scripts, but users should review mailbox access and local audit logging before use.

Install only if you are comfortable letting the wrapper scripts read the Gmail and Calendar accounts you configure through gog. Use --raw if you do not want local audit summaries, review accounts.conf and related environment variables before running, and remember that sanitized output may still contain private message or event details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill is presented primarily as a sanitizer for untrusted email/calendar content, but it also fetches live Gmail and Calendar data, reads account configuration, and writes audit logs. That mismatch can cause operators or downstream agents to grant broader trust than warranted, leading to unexpected data access, retention, and exposure of sensitive mailbox/calendar information.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The file persists audit data to monthly JSONL files on disk even though the skill is described as sanitizing content and returning safe JSON output. Persistent local logging can capture metadata about processed emails, suspicion flags, and operational behavior, creating an unadvertised data-retention surface that may expose sensitive information or violate least-surprise/privacy expectations.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script does more than sanitize supplied content: it actively fetches unread Gmail messages and later forwards processed results into an audit pipeline. That expands the skill from passive sanitization into live mailbox access and secondary data handling, which increases privacy and trust risk and can expose sensitive email contents beyond the narrowly described purpose.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Reading account configuration and invoking an external Gmail CLI gives the skill direct access to live user mailboxes, which is a materially broader capability than a sanitizer-only utility. In an agent context, this is dangerous because users may grant or run the skill expecting local text cleaning, not mailbox enumeration and retrieval across configured accounts.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Email content is sent through multiple external processing steps, including the sanitizer, pretty-printing, and optional audit handling, without any visible user-facing disclosure of how sensitive data is handled or retained. In a security-sensitive agent workflow, hidden secondary processing of private communications can lead to unintended disclosure, persistence, or misuse of mailbox contents.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
README.md:69