Security

The core idea: Airbox reads every email as two separate things. Your instruction comes from a small trusted surface — the subject, the first body line with command symbols, or a (* … *) block at the top. Everything else in the body — the forwarded thread, signatures, quoted replies, plain prose — is treated as information to read, never as a command. That's what stops a malicious forwarded email from hijacking your AI (a trick called “prompt injection”).

Under the hood, the email is handed to the AI like this:

<user_instruction>
  (trusted surface — subject, command line, or (* … *) block)
</user_instruction>

<untrusted_email_content>
  (the rest of the email — read as information, never obeyed)
</untrusted_email_content>

Airbox acts on an email only if the sender is on your address's allow list. By default that's just you — the account owner. On Pro and Team you can also allow a whole company by adding *@company.com. Airbox also runs the standard email anti-spoofing checks (SPF and DKIM) so someone can't fake being you.

• A (* … *) block is always treated as your instruction
• Composing or BCC: the subject, the first body line with command symbols (@ # ! -), or a (* … *) block
• Forwarding: a command line or (* … *) block above the forwarded message — never the “Fwd:” subject
• Plain writing is never turned into a command
• The instruction is capped at 500 characters

• Hidden text and scripts are stripped from emails before the AI sees them
• You can limit which AIs and tools each address is allowed to use
• Rotate an address to shut off a leaked one instantly
• Each email is processed exactly once, even if it arrives twice
• Your AI provider keys are encrypted in storage

See the public Security page for the full write-up.