agentmail
Provides email infrastructure for AI agents, enabling account creation, email management, and webhook integration via a REST API.
Install this skill
Security score
The agentmail skill was audited on May 14, 2026 and we found 30 security issues across 2 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Curl to non-GitHub URL
| 26 | curl -X POST https://api.theagentmail.net/v1/accounts \ |
Curl to non-GitHub URL
| 37 | curl -X POST https://api.theagentmail.net/v1/accounts/{accountId}/messages \ |
Curl to non-GitHub URL
| 54 | curl https://api.theagentmail.net/v1/accounts/{accountId}/messages \ |
Curl to non-GitHub URL
| 58 | curl https://api.theagentmail.net/v1/accounts/{accountId}/messages/{messageId} \ |
Curl to non-GitHub URL
| 65 | curl https://api.theagentmail.net/v1/karma \ |
Curl to non-GitHub URL
| 74 | curl -X POST https://api.theagentmail.net/v1/accounts/{accountId}/webhooks \ |
Curl to non-GitHub URL
| 98 | curl https://api.theagentmail.net/v1/accounts/{accountId}/messages/{messageId}/attachments/{attachmentId} \ |
Webhook reference - potential data exfiltration
| 3 | description: Email infrastructure for AI agents. Create accounts, send/receive emails, manage webhooks, and check karma balance via the AgentMail API. |
Webhook reference - potential data exfiltration
| 16 | - You need to provision AgentMail accounts, send messages, read inbox contents, or register inbound webhooks. |
Webhook reference - potential data exfiltration
| 71 | ### Register webhook (real-time inbound) |
Webhook reference - potential data exfiltration
| 74 | curl -X POST https://api.theagentmail.net/v1/accounts/{accountId}/webhooks \ |
Webhook reference - potential data exfiltration
| 80 | Webhook deliveries include two security headers: |
Webhook reference - potential data exfiltration
| 81 | - `X-AgentMail-Signature` -- HMAC-SHA256 hex digest of the request body, signed with the webhook secret |
Webhook reference - potential data exfiltration
| 89 | const verifyWebhook = (body: string, signature: string, timestamp: string, secret: string) => { |
Webhook reference - potential data exfiltration
| 116 | | POST | `/v1/accounts/:id/webhooks` | Register webhook | | |
Webhook reference - potential data exfiltration
| 117 | | GET | `/v1/accounts/:id/webhooks` | List webhooks | | |
Webhook reference - potential data exfiltration
| 118 | | DELETE | `/v1/accounts/:id/webhooks/:whId` | Delete webhook | | |
Webhook reference - potential data exfiltration
| 167 | // Webhooks |
Webhook reference - potential data exfiltration
| 168 | await mail.webhooks.create(account.id, { |
External URL reference
| 12 | Base URL: `https://api.theagentmail.net` |
External URL reference
| 26 | curl -X POST https://api.theagentmail.net/v1/accounts \ |
External URL reference
| 37 | curl -X POST https://api.theagentmail.net/v1/accounts/{accountId}/messages \ |
External URL reference
| 54 | curl https://api.theagentmail.net/v1/accounts/{accountId}/messages \ |
External URL reference
| 58 | curl https://api.theagentmail.net/v1/accounts/{accountId}/messages/{messageId} \ |
External URL reference
| 65 | curl https://api.theagentmail.net/v1/karma \ |
External URL reference
| 74 | curl -X POST https://api.theagentmail.net/v1/accounts/{accountId}/webhooks \ |
External URL reference
| 77 | -d '{"url": "https://my-agent.example.com/inbox"}' |
External URL reference
| 98 | curl https://api.theagentmail.net/v1/accounts/{accountId}/messages/{messageId}/attachments/{attachmentId} \ |
External URL reference
| 102 | Returns `{"data": {"url": "https://signed-download-url..."}}`. |
External URL reference
| 169 | url: "https://my-agent.example.com/inbox", |