Trust Assessment
agentmail-integration received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Arbitrary file write via attachment download, Arbitrary file read via attachment upload, Unpinned Python dependencies.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary file write via attachment download The `scripts/check_inbox.py` script allows downloading email attachments to a directory specified by the `--download-attachments` command-line argument. If an AI agent or an attacker can control this argument, they could specify a sensitive system path (e.g., `/etc`, `/root/.ssh`) and overwrite or create arbitrary files with content from an email attachment. This could lead to privilege escalation, system compromise, or denial of service. 1. Restrict download paths: Only allow downloads to a dedicated, sandboxed directory. 2. Sanitize filenames: Ensure `att.filename` does not contain path traversal sequences (e.g., `../`). 3. User confirmation: For sensitive operations, require explicit human approval. 4. Least privilege: Run the script with minimal necessary permissions. | LLM | scripts/check_inbox.py:89 | |
| HIGH | Arbitrary file read via attachment upload The `scripts/send_email.py` script allows attaching a file specified by the `--attachment` command-line argument. If an AI agent or an attacker can control this argument, they could specify a sensitive system file (e.g., `/etc/passwd`, `/root/.ssh/id_rsa`, environment files) to be read and attached to an outgoing email. This would lead to data exfiltration. 1. Restrict attachment paths: Only allow attachments from a dedicated, sandboxed directory. 2. User confirmation: For sensitive operations, require explicit human approval. 3. Least privilege: Run the script with minimal necessary permissions. | LLM | scripts/send_email.py:60 | |
| MEDIUM | Unpinned Python dependencies The `SKILL.md` and several Python scripts (`agentmail-helper.py`, `check_inbox.py`, `send_email.py`, `setup_webhook.py`) instruct users to install `agentmail` (and `python-dotenv` in `SKILL.md`) without specifying a version. This practice can lead to supply chain vulnerabilities if a malicious version of the package is published or if breaking changes are introduced in future versions, potentially affecting the skill's security or functionality. Pin all Python dependencies to specific versions (e.g., `agentmail==1.2.3`) in a `requirements.txt` file or directly in installation instructions. Use a dependency management tool that enforces pinning. | LLM | SKILL.md:27 |
Scan History
Embed Code
[](https://skillshield.io/report/5f7180eea41845f1)
Powered by SkillShield