imap-smtp-email-chinese

Security checks across malware telemetry and agentic risk

Overview

This email skill appears purpose-aligned, but it gives an agent real mailbox read/send authority and has under-scoped credential, TLS, and local file handling risks that should be reviewed before use.

Install only if you intentionally want the agent to access and send mail from this account. Use a dedicated or least-privilege email account with an app password, keep TLS verification enabled, review every recipient and attachment before sending, and restrict downloads to a safe directory until filename/path handling is hardened.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill clearly requires sensitive capabilities: network access to arbitrary IMAP/SMTP servers and environment-based credential handling, yet those capabilities are not explicitly declared. This weakens user visibility and policy enforcement around a tool that can access mailbox contents and send email, increasing the risk of unintended data exposure or misuse.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented behavior goes beyond the summarized description in security-relevant ways: it can enumerate all folders, save attachments to the local filesystem, store credentials in a local .env file, and send a real test email. In an email tool, these behaviors materially increase exfiltration, persistence, and unintended outbound-communication risks because the skill handles highly sensitive content and credentials.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README instructs users to configure real email credentials and use the skill to read and send mail, but it does not clearly warn that the tool can access mailbox contents and transmit data to external recipients. In an agent-skill context, this increases the risk of accidental privacy violations, unauthorized outbound transmission, or misuse of sensitive mailbox data by users who may not fully understand the consequences.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The README advises setting IMAP_REJECT_UNAUTHORIZED=false or SMTP_REJECT_UNAUTHORIZED=false for self-signed certificates without adequately warning that this disables certificate validation. Disabling TLS verification exposes credentials and email content to man-in-the-middle attacks and allows impersonation of mail servers, which is especially dangerous because this skill handles authentication secrets and sensitive communications.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The send-email functionality supports arbitrary recipients, CC/BCC, HTML bodies, and attachments, but the skill text does not prominently warn that it can transmit data to external parties. In a tool connected to a real mailbox, missing user-facing warnings can lead to accidental disclosure of sensitive content or attachments outside the organization.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The code writes attachment filenames directly to disk using path.join(outputDir, attachment.filename) with no sanitization, confirmation, or overwrite checks. A malicious email attachment name containing path traversal sequences or absolute paths could cause writes outside the intended directory, potentially overwriting local files.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script stores the user's email password or app password in a plaintext .env file on disk without any warning about the sensitivity of that secret or guidance on file permissions. In an email skill, these credentials grant direct mailbox read/send access, so local compromise, accidental commits, backups, or shared-user environments can expose the account.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The script allows users to disable certificate validation by setting REJECT_UNAUTHORIZED=false via an 'Accept self-signed certificates?' prompt, but does not present a strong warning that this weakens TLS authentication. For an IMAP/SMTP credentialed client, this can enable man-in-the-middle interception of login credentials and mailbox contents when connecting to attacker-controlled or intercepted endpoints.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal