Security Audit
agentmail-to/agentmail-skills:agentmail-mcp
github.com/agentmail-to/agentmail-skillsTrust Assessment
agentmail-to/agentmail-skills:agentmail-mcp received a trust score of 63/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Unpinned Dependency in `npx` Command, Unpinned Dependency in `pip install` Command, Broad Tool Access for Email Management.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 27, 2026 (commit 0f99f45f). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned Dependency in `npx` Command The skill instructs users to run `npx agentmail-mcp` without specifying a version. This means the latest version of the `agentmail-mcp` npm package will always be downloaded and executed. If a malicious update is pushed to the `agentmail-mcp` package on npm, or if a typosquat package is created, users could unknowingly execute compromised code. The `-y` flag further exacerbates this by automatically confirming installation prompts. Specify a pinned version for the `agentmail-mcp` package in the `npx` command, e.g., `npx -y agentmail-mcp@1.2.3`. This ensures that a known, tested version is used, reducing the risk of unexpected changes or malicious updates. | Static | SKILL.md:30 | |
| HIGH | Unpinned Dependency in `pip install` Command The skill instructs users to install `agentmail-mcp` via `pip install agentmail-mcp` without specifying a version. This means the latest version of the `agentmail-mcp` PyPI package will always be downloaded and installed. If a malicious update is pushed to the `agentmail-mcp` package on PyPI, or if a typosquat package is created, users could unknowingly install and execute compromised code. Specify a pinned version for the `agentmail-mcp` package in the `pip install` command, e.g., `pip install agentmail-mcp==1.2.3`. This ensures that a known, tested version is used, reducing the risk of unexpected changes or malicious updates. | Static | SKILL.md:56 | |
| MEDIUM | Broad Tool Access for Email Management The `agentmail-mcp` skill provides access to a comprehensive set of email management tools, including `create_inbox`, `delete_inbox`, `send_message`, `reply_to_message`, and `get_attachment`. While these are the intended functions of an email agent, granting an AI assistant access to all these tools by default without granular control or user confirmation for sensitive actions (like deleting an inbox or sending an email) could lead to unintended or malicious email activity if the AI is compromised or misinterprets instructions. The skill does offer a `--tools` argument to limit access, but the default configuration shown provides full access. Encourage users to utilize the `--tools` argument to restrict the AI's capabilities to only the necessary functions, especially for sensitive actions like `delete_inbox`, `send_message`, and `get_attachment`. Provide clear guidance on how to configure minimal necessary permissions. The client application integrating this skill should also implement robust user consent mechanisms for high-risk actions. | Static | SKILL.md:90 |
Scan History
Embed Code
[](https://skillshield.io/report/0d28311b3c0409bf)
Powered by SkillShield