Back to skill

Security audit

IMAP IDLE Watcher

Security checks across malware telemetry and agentic risk

Overview

This email watcher is not deceptive, but it installs a persistent service that can run arbitrary shell commands on incoming mail and may run with elevated local privileges.

Install only if you want a long-running local email automation service. Use a dedicated low-privilege user or user-level systemd service, avoid passing app passwords on the command line, restrict the service/env file permissions, set narrow sender or subject filters, review the handler command carefully, and revoke the mailbox app password when uninstalling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
log.info(f"🔄 Running: {ON_NEW_MAIL_CMD}")
    try:
        result = subprocess.run(
            ON_NEW_MAIL_CMD,
            shell=True,
            capture_output=True,
Confidence
97% confidence
Finding
result = subprocess.run( ON_NEW_MAIL_CMD, shell=True, capture_output=True, text=True, timeout=300, env=env, )

Tainted flow: 'ON_NEW_MAIL_CMD' from os.environ.get (line 42, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
log.info(f"🔄 Running: {ON_NEW_MAIL_CMD}")
    try:
        result = subprocess.run(
            ON_NEW_MAIL_CMD,
            shell=True,
            capture_output=True,
Confidence
98% confidence
Finding
result = subprocess.run( ON_NEW_MAIL_CMD, shell=True, capture_output=True, text=True, timeout=300, env=env, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises and documents capabilities that clearly require environment access, network connectivity, and shell execution, yet it declares no permissions. That omission weakens review and consent boundaries, because users and platforms are not explicitly warned that the skill will handle credentials, make persistent IMAP connections, and execute commands.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior materially exceeds the stated purpose: it not only watches for mail but also reads header metadata, filters content, installs/uninstalls a systemd service, writes credential-bearing configuration, and executes arbitrary shell commands. This mismatch is dangerous because users may consent to a passive watcher while actually enabling privileged persistence, credential storage, and command execution triggered by external input.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill intentionally runs an arbitrary shell command supplied through configuration whenever mail arrives. That makes the component a code-execution wrapper around external events; in context, this is more dangerous because it is designed for unattended systemd execution and can repeatedly trigger privileged automation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to provide an IMAP app password and configure a command that will run automatically on new mail, but it does not prominently warn about secret storage, exposure in process history, service files, or the risks of command execution on attacker-influenced email events. In this context, email is an external trigger source, so unsafe handler commands or poorly protected credentials could lead to account compromise or local code execution workflows.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document instructs users to generate and copy a Yahoo app password but does not state that this credential is sensitive, should be stored securely, and must never be shared or committed to files. In the context of an IMAP watcher skill that relies on long-lived mailbox credentials, this omission increases the chance of credential leakage and unauthorized mailbox access.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The daemon forwards email metadata such as sender, subject, date, and UID into the child process environment. This can leak potentially sensitive information to scripts, subprocesses, logs, crash dumps, or descendant tools without an explicit warning or minimization step, especially in automation pipelines that invoke third-party utilities.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script explicitly supports `--password` on the command line and even documents it in usage examples. Supplying secrets this way can expose the IMAP app password through shell history, process listings, CI logs, and audit trails, which is especially risky because this skill is built around long-lived mailbox credentials.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.