Is agentmail safe?

https://clawhub.ai/adboio/agentmail

72
CAUTION

AgentMail is a legitimate email integration skill for AI agents, but it creates significant security surface area. The bidirectional email capability (send/receive) combined with webhook-driven inbound processing creates an unprotected prompt injection vector that the skill itself acknowledges but does not mitigate by default. The ability to attach arbitrary files to outbound emails provides a ready-made data exfiltration channel. No malicious intent detected, but the default-insecure design warrants caution.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (9)

HIGH Inbound email creates uncontrolled prompt injection surface -25

The webhook integration allows any external sender to deliver content into the agent's context via email. The skill explicitly documents this as a prompt injection vector but does not enforce any default protections. The allowlist is optional and requires manual configuration.

HIGH Arbitrary file attachment enables data exfiltration via email -20

send_email.py accepts any filesystem path via --attach, reads the file, base64-encodes it, and sends it to an external email address through AgentMail's API. An agent instructed to 'email this file' could exfiltrate any readable file.

MEDIUM Skill instructs agent to modify host system config files -13

SKILL.md contains instructions for the agent to create files at ~/.clawdbot/hooks/email-allowlist.ts and modify ~/.clawdbot/clawdbot.json, then execute 'clawdbot gateway restart'. This modifies the host agent's configuration and restarts a service.

MEDIUM Flask server binds to all interfaces -15

setup_webhook.py's --test-server mode starts a Flask server bound to 0.0.0.0:3000, exposing a webhook endpoint on all network interfaces. This could be exploited on shared networks.

MEDIUM Executable Python scripts with pip install instructions -20

Three Python scripts are included that the agent may execute. The skill instructs 'pip install agentmail flask ngrok python-dotenv' which pulls packages from PyPI at runtime.

MEDIUM API key exposure through environment variable pattern -10

The skill instructs setting AGENTMAIL_API_KEY as an environment variable and reading it via os.getenv(). The agent could inadvertently log, display, or transmit this key.

LOW Canary file reads during install are from host process, not skill -10

Filesystem monitoring shows reads of .env, .aws/credentials, .openclaw/openclaw.json during install, but timing and pattern indicate these are from the OpenClaw gateway startup process, not from the skill code itself.

INFO Bidirectional email creates potential covert C2 channel -15

The combination of send and receive capabilities creates a bidirectional communication channel that could serve as a command-and-control mechanism if the agent's inbox is compromised. Instructions arrive via email, data leaves via email.

INFO Skill-combination amplification risk -40

This skill is particularly dangerous in combination with file-access or shell-execution skills. A prompt injection via email could instruct the agent to use other skills to read sensitive data, then use this skill to email it out.