Back to skill

Security audit

email-triage

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for email triage, but it handles mailbox credentials and can send email previews to any Ollama URL configured in the environment.

Review this carefully before installing. Use an app-specific IMAP password, point OLLAMA_URL only at a trusted local endpoint such as localhost, avoid running it on highly sensitive mailboxes, and check or delete the local state file as needed. This is not classified as malicious because the behavior matches email triage, but its data handling needs clearer limits and disclosure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Tainted flow: 'req' from os.environ.get (line 189, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
data=payload,
            headers={"Content-Type": "application/json"},
        )
        with urllib.request.urlopen(req, timeout=CLASSIFICATION_TIMEOUT) as resp:
            result = json.loads(resp.read())
            response_text = result.get("response", "").strip()
Confidence
97% confidence
Finding
with urllib.request.urlopen(req, timeout=CLASSIFICATION_TIMEOUT) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation describes capabilities that access environment variables, write persistent local state, and connect to remote services (IMAP and optionally Ollama), but it does not declare any corresponding permissions. This creates a transparency and governance gap: users or platforms may grant or execute the skill without understanding it will handle mailbox credentials and inbox data, increasing the risk of over-privileged or unreviewed operation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly requires IMAP credentials and processes inbox contents, and may forward message data to a local Ollama service for classification, yet the documentation lacks a clear privacy and data-handling warning. Because email often contains sensitive personal, financial, legal, or security information, users may unknowingly expose confidential content to local logs, persistent state, or auxiliary services.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This function transmits portions of unread emails to the Ollama API for classification, but the transfer happens implicitly with no explicit runtime notice or consent at the call site. In the context of an email-triage skill, this matters because emails often contain confidential business, legal, financial, or personal data; even if Ollama is intended to be local, misconfiguration or future changes could send that data off-host without operators realizing it.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.