Security audit

mailbox.bot

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent postal-mail integration, but it gives agents real-world mail authority, including potentially destructive mailbox actions, without consistently requiring human approval.

Review this skill before installing. Use sandbox or dry-run keys first, prefer agent-scoped keys, enable force_approval and spend limits, and do not allow autonomous shred, dispose, return-to-sender, discard, or outbound production mail unless a human has approved the specific rule and understands the legal, privacy, and cost impact.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill describes irreversible mailbox actions such as shred, dispose, and return-to-sender as normal API capabilities without strong safeguards, warnings, or confirmation requirements. In a mail-handling agent, this can cause permanent loss of legal, financial, or compliance-critical documents if the model misclassifies mail or follows weak standing instructions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The standing-instructions example includes 'Junk mail → discard' without clarifying that automated classification can be wrong and that important mail can resemble low-value correspondence. This normalizes autonomous destruction of physical mail and increases the chance an agent will discard time-sensitive or legally significant items.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The API documents destructive operations as routine action types but provides no caution about irreversibility, misrouting, or the consequences of destroying regulated or legal mail. Because this is operational API guidance for agents, omission of safety constraints materially increases the risk of unsafe automation.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The decision framework explicitly instructs agents to 'discard, shred, or dispose' mail during triage without requiring operator confirmation or emphasizing the irreversibility of those actions. In context, this is especially dangerous because the skill is built to process legal notices, government mail, tax responses, and compliance documents where a single mistaken destructive action can create severe downstream harm.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The install guide advertises configuration steps and tool capabilities but does not clearly warn users that connecting this MCP server grants an agent the ability to initiate real-world outbound physical mail and access inbound mail/document context. In an AI-agent setting, omission of this consent and data-scope warning can cause operators to enable the skill without understanding that it can trigger external actions and expose sensitive document data, increasing the risk of unintended mailings or privacy breaches.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical

Code: suspicious.exposed_secret_literal
Location: SKILL.md:84