Back to skill

Security audit

Agents Mail — Free Email for AI Agents, with No sign-up, No API key needed

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only email integration skill whose sensitive behaviors are disclosed and aligned with its purpose, but users should be careful with automation.

Install only if you want your agent to use an external email mailbox. Keep the API key private, review recipients and message content before sending when possible, confirm deletion policies, and enable auto-responders, heartbeat checks, or webhooks only for trusted senders and trusted destinations with rate limits or approval rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The auto-responder example continuously polls a mailbox and automatically replies to any unread message without requiring human approval or documenting safety constraints. In an agent skill context, this can cause unintended external communications, mail loops, spam amplification, and disclosure that the agent is active or processing messages.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The HEARTBEAT pattern instructs the agent to automatically fetch inbox contents and summarize unread emails on each cycle, but it does not clearly warn that email metadata and previews may be exposed to another component or owner workflow. In agent deployments, this can create silent, recurring disclosure of potentially sensitive communications.

External Transmission

Medium
Category
Data Exfiltration
Content
URL must be public HTTPS. No localhost/private IPs.

```bash
curl -X POST https://agentsmail.org/api/webhooks \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer {api_key}" \
  -d '{"url": "https://your-server.com/webhook", "events": ["email.received"]}'
Confidence
73% confidence
Finding
curl -X POST https://agentsmail.org/api/webhooks \ -H "Content-Type: application/json" \ -H "Authorization: Bearer {api_key}" \ -d '{"url": "https://your-server.com/webhook", "events": ["email.r

External Transmission

Medium
Category
Data Exfiltration
Content
detail = requests.get(f"{API}/inbox/{email['email_id']}", headers=headers).json()

        # Reply
        requests.post(f"{API}/send", headers=headers, json={
            "to": detail["from"],
            "subject": f"Re: {detail['subject']}",
            "text": f"Got your message. Processing now."
Confidence
90% confidence
Finding
requests.post(f"{API}/send", headers=headers, json=

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.