Security Audit
agent-mail
github.com/Mrc220/agent_flywheel_clawdbot_skills_and_integrationsTrust Assessment
agent-mail received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 12 findings: 8 critical, 2 high, 1 medium, and 1 low severity. Key findings include Covert behavior / concealment directives, Network egress to untrusted endpoints, Arbitrary command execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on June 1, 2026 (commit 6a655802). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings12
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/agent-mail/SKILL.md:31 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/agent-mail/SKILL.md:32 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/agent-mail/SKILL.md:296 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/agent-mail/SKILL.md:379 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/agent-mail/SKILL.md:382 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/agent-mail/SKILL.md:379 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/agent-mail/SKILL.md:382 | |
| CRITICAL | Unsafe Installation Method (Curl | Bash) The recommended installation method involves piping the output of `curl` directly into `bash` from a remote URL. This practice is highly insecure as it executes arbitrary code from an external source without prior review. The use of `$(date +%s)` in the URL further exacerbates the risk by making the fetched script dynamic and difficult to cache or verify, potentially leading to different code being executed on subsequent installs or by different users. Avoid piping `curl` to `bash`. Instead, recommend users download the script, review its contents, and then execute it. For Python projects, prefer standard package managers like `pip` or `uv` with a `requirements.txt` or `pyproject.toml` that specifies pinned dependencies and hashes for integrity. | LLM | SKILL.md:260 | |
| HIGH | Covert behavior / concealment directives Directive to hide behavior from user Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | skills/agent-mail/SKILL.md:334 | |
| HIGH | Excessive Filesystem Permissions via Absolute Paths and Git Hook Modification The skill operates with broad filesystem access, accepting absolute paths for `project_key`, `human_key`, and `code_repo_path` in various tools (e.g., `macro_start_session`, `file_reservation_paths`, `install_precommit_guard`). The `install_precommit_guard` tool specifically modifies Git hooks within a specified repository path. If an agent or a malicious actor can control these path inputs, they could potentially read, write, or execute code in arbitrary locations on the host system, or inject malicious logic into Git hooks, leading to command injection or data exfiltration. Implement strict input validation and sanitization for all file paths. Restrict agent access to a designated sandbox directory. For `install_precommit_guard`, ensure the `code_repo_path` is strictly validated and ideally limited to known, safe repositories. Consider using a allowlist for paths or implementing a robust sandboxing mechanism for agent execution. | LLM | SKILL.md:100 | |
| MEDIUM | Potential Prompt Injection via Messaging and Human Overseer The skill provides mechanisms for agents to send and receive messages (`send_message`, `fetch_inbox`) and includes a 'Human Overseer' feature that allows direct human-to-agent communication. If the agent's underlying LLM interprets these messages as instructions, a malicious human or another agent could craft messages containing prompt injection payloads. This could lead to the agent performing unintended actions, revealing sensitive information, or being manipulated into a harmful state. Implement robust prompt injection defenses for agents consuming messages. This includes input sanitization, instruction/data separation, and explicit user confirmation for sensitive actions. Agents should be designed to treat incoming messages as data or context, not as executable instructions, unless explicitly designed for command execution with strong guardrails. | LLM | SKILL.md:137 | |
| LOW | Static Bearer Token and Stored Secrets in Mailbox The skill uses a static `HTTP_BEARER_TOKEN` for authentication, which is less secure than rotating tokens or more robust authentication mechanisms. Additionally, the 'Static Mailbox Export' feature explicitly mentions 'Scrub presets: `standard` (removes secrets) or `strict` (redacts bodies)', indicating that secrets can be stored within the mailbox data. While the export feature offers scrubbing, the presence of secrets in the mailbox increases the risk of credential exposure if the mailbox data is compromised or exported without proper scrubbing. For `HTTP_BEARER_TOKEN`, consider implementing more secure authentication methods like OAuth2, API key rotation, or short-lived tokens. For secrets stored in the mailbox, evaluate if they truly need to be stored. If so, ensure they are encrypted at rest and access is strictly controlled. Emphasize the importance of using the scrubbing features during export and provide clear guidance on handling sensitive data. | LLM | SKILL.md:272 |
Scan History
Embed Code
[](https://skillshield.io/report/da653581127f4dbc)
Powered by SkillShield