Back to skill

Security audit

Agentmail Temp

Security checks across malware telemetry and agentic risk

Overview

This looks like a real AgentMail integration, but some examples and helpers can expose full email contents to third-party endpoints or logs without enough guardrails.

Review before installing. Use this only if you need AgentMail-based email automation, restrict the API key, start with test inboxes, require confirmation before sending or forwarding messages, avoid raw GitHub forwarding for sensitive mail, do not log full webhook payloads, and clean up any inboxes or webhooks you create.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill demonstrates access to environment variables via os.getenv("AGENTMAIL_API_KEY") but does not declare permissions or clearly scope that capability. In an agent environment, undeclared env access can expand the skill's effective privileges and make secret handling less auditable, especially for API keys.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description is broadly phrased around common tasks like sending email, managing inboxes, and agent identity, which increases the chance this skill is auto-selected for loosely related prompts. Over-broad invocation can cause unintended execution of high-impact actions such as sending messages or provisioning inboxes without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example forwards user-supplied email content and sender identity into a third-party GitHub issue without any consent, warning, redaction, or sensitivity checks. This can expose private email contents, personal data, internal details, or secrets to an external system and may violate privacy expectations or data-handling requirements.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The local development workflow instructs users to expose a live webhook receiver over ngrok, which can route real inbound email events containing message bodies and participant addresses through a publicly reachable tunnel. Without an explicit warning to avoid production/sensitive traffic, authenticate access, and treat tunneled data as sensitive, developers may unintentionally expose confidential email content during testing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The test webhook receiver prints the full incoming webhook payload, which may include sensitive email content, sender/recipient details, metadata, and potentially other private message fields. Even though this is framed as a development helper, console logs are often persisted, shared, or collected by log aggregation systems, making unintended disclosure of email data a realistic risk.

External Transmission

Medium
Category
Data Exfiltration
Content
'labels': labels
    }
    
    response = requests.post(
        f'https://api.github.com/repos/{repo}/issues',
        json=issue_data,
        headers={
Confidence
92% confidence
Finding
requests.post( f'https://api.github.com/repos/{repo}/issues', json=

External Transmission

Medium
Category
Data Exfiltration
Content
}
    
    response = requests.post(
        f'https://api.github.com/repos/{repo}/issues',
        json=issue_data,
        headers={
            'Authorization': f'token {github_token}',
Confidence
89% confidence
Finding
https://api.github.com/

Session Persistence

Medium
Category
Rogue Agent
Content
---
name: agentmail
description: API-first email platform designed for AI agents. Create and manage dedicated email inboxes, send and receive emails programmatically, and handle email-based workflows with webhooks and real-time events. Use when you need to set up agent email identity, send emails from agents, handle incoming email workflows, or replace traditional email providers like Gmail with agent-friendly infrastructure.
---

# AgentMail
Confidence
82% confidence
Finding
Create and manage dedicated email inboxes, send and receive emails programmatically, and handle email-based workflows with webhooks and real-time events. Use when you need to set up agent email identi

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL.md:89