Back to skill

Security audit

Proton Bridge Email

Security checks across malware telemetry and agentic risk

Overview

This email skill is mostly transparent, but it needs review because it decrypts mail credentials and can use a configurable SMTP server while disabling TLS certificate checks.

Install only if you want an agent to send email through your Proton Bridge account. Keep SMTP_HOST set to localhost or 127.0.0.1, protect the age key, delete the temporary plaintext env file immediately after encryption, and use confirmations or recipient allowlists for automated emails.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs use of shell commands and access to local secret files, but it declares no permissions. This creates a transparency and least-privilege problem: an agent or reviewer may not realize the skill reads sensitive files like age keys and encrypted credential blobs, then invokes local scripts to process them. In the context of an email-sending skill that handles authentication material, undeclared file_read and shell capabilities are more sensitive than they would be for a purely informational skill.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The script is described as sending through Proton Bridge on localhost, but it actually accepts arbitrary SMTP host and port values from decrypted configuration. In a skill that decrypts stored mail credentials and automatically transmits email, this mismatch can cause operators to trust a local-only design while credentials and message contents are sent to a remote server instead.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The code creates an unverified TLS context and uses it for both SMTP over SSL and STARTTLS regardless of the configured host. If SMTP_HOST is changed from localhost to any remote endpoint, certificate validation is completely disabled, enabling man-in-the-middle interception of credentials and email contents.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instructions explicitly direct the user to place sensitive Proton Bridge credentials, including the bridge password, into a plaintext file before encryption. Even if temporary, plaintext secrets can be exposed through shell history, editor swap files, backups, accidental commits, permissive file permissions, or other local processes, making this a real secret-handling weakness.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.