Back to skill

Security audit

Skulk Email

Security checks across malware telemetry and agentic risk

Overview

This email skill appears to do what it says, but it gives an agent sensitive mailbox access and the ability to send email using stored mailbox passwords.

Install only for a mailbox you are comfortable letting an agent access. Prefer a dedicated low-privilege mailbox or app password, lock down the credential file, avoid storing unused Gmail credentials, and require manual review before any outgoing email is sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill explicitly requires shell execution and network access but does not declare permissions or clearly scope those capabilities. In an agent environment, undeclared capabilities reduce transparency and can cause the skill to be invoked with broader access than users or orchestrators expect, especially since it handles email sending and inbox access.

Credential Access

High
Category
Privilege Escalation
Content
- **curl** — Roundcube webmail sending
- **jq** — credential file parsing
- **DreamHost mailbox** — email address + password
- **Credential file** — stored locally at `~/.config/skulk-email/credentials.json` (never transmitted beyond DreamHost servers)

## Security
Confidence
94% confidence
Finding
credentials.json

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.