Trust Assessment
agentmail received a trust score of 67/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 0 high, 1 medium, and 0 low severity. Key findings include Direct inclusion of untrusted email content in LLM prompt, Unpinned dependency in installation instructions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Direct inclusion of untrusted email content in LLM prompt The skill explicitly warns about prompt injection via incoming email webhooks. The provided `email-allowlist.ts` webhook transform, while implementing an allowlist, still directly includes `payload.message.subject` and `payload.message.text` from the incoming email into the `text` field of the `action: 'wake'` payload. This payload is then sent to the LLM. This means that even emails from allowlisted senders can contain malicious instructions that manipulate the LLM, as the content is not sanitized or marked as untrusted before being passed to the model. The skill itself labels this as a 'CRITICAL' risk. Implement robust sanitization or explicit untrusted markers for `payload.message.subject` and `payload.message.text` before including them in the LLM prompt, even for allowlisted senders. Consider routing all email content to an isolated review session or using agent training to treat email content as suggestions rather than commands, as mentioned in the 'Defense Layers' section. | LLM | SKILL.md:200 | |
| MEDIUM | Unpinned dependency in installation instructions The installation instruction `pip install agentmail` does not specify a version. This can lead to unexpected behavior or security vulnerabilities if a future version of the `agentmail` package introduces breaking changes or malicious code. Best practice is to pin dependencies to a specific version or a range. Pin the `agentmail` dependency to a specific version, e.g., `pip install agentmail==1.1.0`, or use a version range like `agentmail>=1.1.0,<2.0.0`. | LLM | SKILL.md:235 |
Scan History
Embed Code
[](https://skillshield.io/report/79cae39d8276e413)
Powered by SkillShield