AgentMail Integration
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: agentmail-integration Version: 1.1.0 The skill bundle provides legitimate email automation capabilities and notably includes extensive documentation (`SKILL.md`, `WEBHOOKS.md`) explicitly warning about prompt injection attacks and offering robust mitigation strategies. However, the `scripts/check_inbox.py` script and examples in `references/EXAMPLES.md` and `references/patterns.md` demonstrate the capability to download email attachments to an arbitrary local directory. While this is a core function for an email processing agent, the ability to write arbitrary files to the local filesystem from untrusted email sources, even without explicit execution logic in the provided scripts, represents a significant attack surface for potential supply chain or local execution vulnerabilities if the agent's environment is not rigorously secured. This capability, without clear malicious intent within the bundle itself, warrants a 'suspicious' classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you download attachments from an untrusted inbox, a crafted attachment filename could overwrite local files that the process can access.
Attachment filenames come from received email content. Without rejecting absolute paths, '..' segments, or overwrites, a malicious attachment name could write outside the chosen download directory.
file_path = download_dir / att.filename file_path.write_bytes(content)
Sanitize attachment filenames before writing, for example by using only Path(att.filename).name, rejecting absolute paths and '..', and avoiding overwrites unless the user confirms.
Emails sent by outsiders could try to trick an automated agent into taking actions you did not intend.
Incoming emails are untrusted text that an agent might accidentally treat as instructions. The skill discloses this risk and provides mitigations.
**⚠️ CRITICAL**: Webhooks expose a **prompt injection attack vector**. Anyone can send an email to your agent inbox with instructions like:
Use sender allowlists, content filtering, signature verification, and human approval before allowing email content to trigger actions.
Anyone or any process with this API key may be able to send mail or manage AgentMail inboxes according to the key's permissions.
The integration requires an AgentMail credential that can manage email resources. This is expected, but the registry metadata declares no required env vars or primary credential.
**Generate API key** in the console dashboard **Set environment variable**: `AGENTMAIL_API_KEY=your_key_here`
Use a least-privilege AgentMail key if available, store it only in trusted environments, and rotate it if exposed.
A future or unexpected package version could change behavior or break the helper scripts.
The skill relies on unpinned Python packages despite having no install spec. Installing the provider SDK is purpose-aligned, but users inherit normal package provenance and version risks.
**Install Python SDK**: `pip install agentmail python-dotenv`
Pin package versions in your own environment and install from trusted package indexes.
If a webhook is pointed at the wrong endpoint, incoming email events could be delivered somewhere unintended.
The helper can register a URL to receive AgentMail events. This is core webhook functionality, but that endpoint may receive email-related data and must be trusted.
webhook = client.webhooks.create(
url=args.url,
client_id=args.client_id,
events=args.events
)Only register webhook URLs you control, verify AgentMail webhook signatures, and remove unused webhooks.