Security audit

SolEmail

Security checks across malware telemetry and agentic risk

Overview

This email automation skill is disclosed, but it needs review because it can let an AI read personal mail, send messages and attachments, package local files, and run scheduled checks without strong confirmation guardrails.

Install only if you are comfortable giving the agent access to your mailbox and SMTP account. Use an app-specific password, limit scheduled jobs to read-only checks unless you explicitly approve sending, review every recipient and attachment list before outbound mail, and avoid using the file-search-and-zip workflow on broad folders such as home, Documents, Downloads, or any directory containing secrets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain

Findings (16)

Tainted flow: 'HIMALAYA_CONFIG_PATH' from os.environ.get (line 27, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: def run_himalaya(args: list) -> str: """Run himalaya CLI and return output.""" result = subprocess.run( ["himalaya"] + args, capture_output=True, text=True,
Confidence: 74% confidence
Finding: result = subprocess.run( ["himalaya"] + args, capture_output=True, text=True, env={**os.environ, "HIMALAYA_CONFIG_PATH": HIMALAYA_CONFIG_PATH} )

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill clearly instructs use of shell commands, filesystem paths, and environment-based SMTP credentials, yet it declares no permissions. This creates a mismatch between the skill's actual capabilities and what a user or platform reviewer might expect, increasing the risk of unnoticed access to mailbox contents, local files, and secrets.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The README documents capabilities beyond the skill's declared purpose of reading and sending email, including content-triggered actions, file collection, compression, and unattended automation. In an agent skill context, this scope expansion is dangerous because it increases the blast radius from simple messaging into local data access and exfiltration workflows that could be invoked through email-driven prompts.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The documented find-zip-email workflow allows the agent to search local directories by pattern, archive matching files, and email them to a recipient. That is a clear data exfiltration primitive beyond normal email handling, and if influenced by untrusted email content or prompts it could disclose sensitive local files with minimal friction.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The report explicitly documents an AI system that can autonomously read a personal inbox, decide whether to respond, and accept inbound mail from a public address routed into the agent. That materially expands the skill from passive email tooling into autonomous external communication, increasing the risk of prompt-injection via email, unauthorized replies, and abuse of the owner's identity.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The documented workflow can search arbitrary local folders, collect matching files, zip them, and email them to an external recipient. This creates a direct data-exfiltration path if the agent is tricked by malicious instructions, overly broad file patterns, or ambiguous requests.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README advertises fully automated reading, decision-making, and replying to email without clearly emphasizing that outbound communications may occur autonomously. In practice, this can cause unintended messages, disclosure of sensitive context, or social-engineering amplification if the agent acts on malicious or ambiguous emails.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The workflow explicitly states that email content can trigger zipping local files and emailing them back, but the README does not present a strong warning about unintended file disclosure. In an AI-agent setting, this is especially risky because untrusted inbound email can become an indirect instruction channel for collecting and transmitting local data.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The cron examples normalize unattended email processing on a schedule without clearly warning that the agent may process or potentially send communications without human oversight. Scheduled autonomous execution increases the chance that malicious emails, misclassifications, or stale configurations will repeatedly trigger unsafe behavior.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The activation description is broad enough to trigger on common requests like checking email, sending files, or setting up automation, which can cause the skill to be invoked in situations involving sensitive mailbox or local file data. Because the skill supports outbound email and file attachment workflows, overbroad routing increases the chance of unintended data access or exfiltration.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The instructions directly support sending emails and attachments, including a helper that finds files, zips them, and emails them, but provide no guardrails around recipient verification, attachment review, or external transmission consent. In practice, this creates a straightforward path for accidental or induced exfiltration of sensitive local files to unintended recipients.

Missing User Warnings

Low

Confidence: 78% confidence
Finding: The documented cron/heartbeat setup enables recurring mailbox sync and unread-email inspection without warning that this creates ongoing background access to potentially sensitive communications. While less severe than outbound sending, persistent polling expands the privacy and exposure surface and may normalize unattended access to mailbox contents.

Missing User Warnings

High

Confidence: 91% confidence
Finding: The system is described as fully autonomous over a human's personal email account, but the document does not present strong user warnings, consent boundaries, or operational safeguards proportionate to the privacy impact. Personal email commonly contains sensitive personal, financial, and account-recovery information, so autonomous processing without clear warnings and approvals is risky.

Missing User Warnings

High

Confidence: 96% confidence
Finding: A workflow that automatically finds files, compresses them, and emails them externally can disclose sensitive local data if the request is malicious, misunderstood, or overbroad. The absence of explicit warnings and confirmation steps makes accidental or induced exfiltration substantially more likely.

Env Variable Harvesting

High

Category: Data Exfiltration
Content: smtp_host = smtp_host or os.environ.get("SMTP_HOST", "smtp.mail.me.com") smtp_port = int(smtp_port or os.environ.get("SMTP_PORT", 587)) smtp_user = smtp_user or os.environ.get("SMTP_USER") smtp_password = smtp_password or os.environ.get("SMTP_PASSWORD") from_name = from_name or os.environ.get("FROM_NAME", "Sol AI") if not smtp_user or not smtp_password:
Confidence: 70% confidence
Finding: os.environ.get("SMTP_PASSWORD

Unvalidated Output Injection

High

Category: Output Handling
Content: def run_himalaya(args: list) -> str: """Run himalaya CLI and return output.""" result = subprocess.run( ["himalaya"] + args, capture_output=True, text=True,
Confidence: 95% confidence
Finding: subprocess.run( ["himalaya"] + args, capture_output

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal