AgentMail Integration
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is mostly a coherent AgentMail integration, but its attachment-download script can write files using untrusted email filenames, which could overwrite files outside the chosen folder.
Install only if you are comfortable giving the skill an AgentMail API key and letting it send/manage email on your behalf. Avoid using the attachment-download option on untrusted mail until filenames are sanitized, and keep webhook processing behind allowlists, signature verification, and human approval for risky actions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you download attachments from an untrusted inbox, a crafted attachment filename could overwrite local files that the process can access.
Attachment filenames come from received email content. Without rejecting absolute paths, '..' segments, or overwrites, a malicious attachment name could write outside the chosen download directory.
file_path = download_dir / att.filename file_path.write_bytes(content)
Sanitize attachment filenames before writing, for example by using only Path(att.filename).name, rejecting absolute paths and '..', and avoiding overwrites unless the user confirms.
Emails sent by outsiders could try to trick an automated agent into taking actions you did not intend.
Incoming emails are untrusted text that an agent might accidentally treat as instructions. The skill discloses this risk and provides mitigations.
**⚠️ CRITICAL**: Webhooks expose a **prompt injection attack vector**. Anyone can send an email to your agent inbox with instructions like:
Use sender allowlists, content filtering, signature verification, and human approval before allowing email content to trigger actions.
Anyone or any process with this API key may be able to send mail or manage AgentMail inboxes according to the key's permissions.
The integration requires an AgentMail credential that can manage email resources. This is expected, but the registry metadata declares no required env vars or primary credential.
**Generate API key** in the console dashboard **Set environment variable**: `AGENTMAIL_API_KEY=your_key_here`
Use a least-privilege AgentMail key if available, store it only in trusted environments, and rotate it if exposed.
A future or unexpected package version could change behavior or break the helper scripts.
The skill relies on unpinned Python packages despite having no install spec. Installing the provider SDK is purpose-aligned, but users inherit normal package provenance and version risks.
**Install Python SDK**: `pip install agentmail python-dotenv`
Pin package versions in your own environment and install from trusted package indexes.
If a webhook is pointed at the wrong endpoint, incoming email events could be delivered somewhere unintended.
The helper can register a URL to receive AgentMail events. This is core webhook functionality, but that endpoint may receive email-related data and must be trusted.
webhook = client.webhooks.create(
url=args.url,
client_id=args.client_id,
events=args.events
)Only register webhook URLs you control, verify AgentMail webhook signatures, and remove unused webhooks.