AgentMail Integration

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.prompt_injection_instructions

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Concern

ASI08: Cascading Failures

What this means

If you download attachments from an untrusted inbox, a crafted attachment filename could overwrite local files that the process can access.

Why it was flagged

Attachment filenames come from received email content. Without rejecting absolute paths, '..' segments, or overwrites, a malicious attachment name could write outside the chosen download directory.

Skill content

file_path = download_dir / att.filename
file_path.write_bytes(content)

Recommendation

Sanitize attachment filenames before writing, for example by using only Path(att.filename).name, rejecting absolute paths and '..', and avoiding overwrites unless the user confirms.

Note

ASI01: Agent Goal Hijack

What this means

Emails sent by outsiders could try to trick an automated agent into taking actions you did not intend.

Why it was flagged

Incoming emails are untrusted text that an agent might accidentally treat as instructions. The skill discloses this risk and provides mitigations.

Skill content

**⚠️ CRITICAL**: Webhooks expose a **prompt injection attack vector**. Anyone can send an email to your agent inbox with instructions like:

Recommendation

Use sender allowlists, content filtering, signature verification, and human approval before allowing email content to trigger actions.

Note

ASI03: Identity and Privilege Abuse

What this means

Anyone or any process with this API key may be able to send mail or manage AgentMail inboxes according to the key's permissions.

Why it was flagged

The integration requires an AgentMail credential that can manage email resources. This is expected, but the registry metadata declares no required env vars or primary credential.

Skill content

**Generate API key** in the console dashboard
**Set environment variable**: `AGENTMAIL_API_KEY=your_key_here`

Recommendation

Use a least-privilege AgentMail key if available, store it only in trusted environments, and rotate it if exposed.

Note

ASI04: Agentic Supply Chain Vulnerabilities

What this means

A future or unexpected package version could change behavior or break the helper scripts.

Why it was flagged

The skill relies on unpinned Python packages despite having no install spec. Installing the provider SDK is purpose-aligned, but users inherit normal package provenance and version risks.

Skill content

**Install Python SDK**: `pip install agentmail python-dotenv`

Recommendation

Pin package versions in your own environment and install from trusted package indexes.

Note

ASI07: Insecure Inter-Agent Communication

What this means

If a webhook is pointed at the wrong endpoint, incoming email events could be delivered somewhere unintended.

Why it was flagged

The helper can register a URL to receive AgentMail events. This is core webhook functionality, but that endpoint may receive email-related data and must be trusted.

Skill content

webhook = client.webhooks.create(
            url=args.url,
            client_id=args.client_id,
            events=args.events
        )

Recommendation

Only register webhook URLs you control, verify AgentMail webhook signatures, and remove unused webhooks.

Findings (2)

warn

suspicious.prompt_injection_instructions

Location: references/WEBHOOKS.md:12
Finding: Prompt-injection style instruction pattern detected.

warn

suspicious.prompt_injection_instructions

Location: SKILL.md:179
Finding: Prompt-injection style instruction pattern detected.