Back to skill

Security audit

Zoho Email Integration

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate Zoho Mail integration, but it includes live mailbox-changing and email-sending paths with some misleading or under-scoped safety behavior.

Install only if you are comfortable giving the skill access to a Zoho mailbox. Use OAuth2 where possible, protect token/password files, test with a non-production mailbox first, review commands before enabling /email send in chat, and avoid running the included live test scripts unless you understand that they may send real messages or change mailbox state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (17)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The document asserts the skill is fixed in v2.2.0, but the deployment instructions still require manually copying a separate secure handler over the existing command handler. This creates a real security gap: users may believe they are protected after upgrading while continuing to run the vulnerable handler if they miss or misunderstand the manual replacement step.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation states that replacing `eval` with `bash -c` is a security fix, but `bash -c` still executes a shell and remains dangerous if any untrusted input can reach the command string. This can mislead users or maintainers into deploying a test script they believe is safe when command injection risk may still exist.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The skill claims to be hardened against path traversal, yet later documents attachment downloads to an arbitrary caller-supplied output path. If the implementation follows this contract without strict path validation, a user or upstream automation could overwrite unintended local files, especially in unattended workflows.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The function documentation states that old emails will be archived, but the implementation performs action='delete', which moves messages to Trash instead. This mismatch can cause operators to run a destructive cleanup under the false assumption that messages will remain recoverable in an archive workflow, increasing the risk of accidental data loss.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The method claims to revoke an OAuth2 token but only deletes the local token file. This can leave the remote refresh/access token valid at the provider, creating a false sense of security and allowing continued account access if the token was already exposed or stored elsewhere.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The IMAP delete path marks messages as \Deleted and then immediately calls expunge(), which can permanently remove mail from the selected folder. This contradicts the stated behavior of only moving messages to Trash, creating a data-loss risk when users rely on the safer documented semantics.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
This is a real command-injection risk because the helper executes dynamically constructed command strings via `bash -c`. While `TEST_RECIPIENT` is regex-validated and some arguments are single-quoted, other interpolated values such as `ZOHO_SCRIPT` are inserted into the shell command and can break out of quoting if they contain a single quote or other shell-significant content, which is possible because the script path is derived from the filesystem rather than trusted constants. In this skill context, the script handles email credentials and sends mail, so successful injection could execute arbitrary commands in the user's environment and expose secrets like `ZOHO_PASSWORD`.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The test script instructs users to provide a direct email address and password via environment variables, which conflicts with the stated OAuth2-based design. This encourages weaker credential handling, increases the chance of long-lived secrets being used in testing, and may lead users to expose real mailbox credentials in shell history, logs, or CI environments.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation describes downloading email attachments to local paths without warning that attachments are untrusted input and that the operation writes files to disk. In real deployments, this can lead to accidental overwrites, storage of malicious content, or downstream execution/opening of attacker-supplied files by users or automation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The automated attachment workflow encourages scripted bulk downloads of PDF attachments from email search results without warning about malicious files, repeated writes, or file overwrite behavior. In context, this is more dangerous because it is designed for automation, reducing human review and increasing the chance that attacker-controlled email content gets written and processed at scale.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The `/email send` path performs a real external side effect immediately after parsing arguments, with no confirmation, dry-run mode, or explicit warning in the command flow. In an agent/chatbot context, this increases the risk of accidental or prompt-induced email transmission to unintended recipients, which can leak sensitive data or cause unauthorized communications.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The example instructs users to export live email credentials and source a credentials file, but it does not warn about secure storage, shell history leakage, file permissions, or avoiding plaintext secrets in scripts. In an automation/cron context, this can lead to accidental credential exposure through process listings, world-readable files, logs, or copied examples.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The `/email send` chat command example exposes a capability to transmit email to arbitrary external recipients from a messaging interface without any warning about recipient validation, authorization, or the risk of unintended outbound messages. In Telegram/Discord-style integrations, this increases the chance of abuse, spoofed requests, or operator mistakes causing data exfiltration or spam.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script overwrites zoho-email.py in place without prompting the user, creating a backup, or validating that the transformation is safe and complete. This can silently corrupt the target file, destroy local modifications, or leave the application in a broken state if the expected markers or replacement strings do not match exactly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The test script sends a real email as part of its verification flow without requiring explicit user acknowledgement or a dry-run/sandbox mode. In an agent skill context, this can cause unintended outbound communication, data leakage, spam-like behavior, or side effects in production mailboxes when the script is run automatically.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script modifies mailbox state by marking messages read/unread, moving messages between folders, and performing batch operations, but it does not provide a strong warning or require opt-in before altering live account contents. In an automation setting, this can corrupt user workflow state, hide unread mail, move important messages, or trigger operational confusion in a real mailbox.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The script reads sensitive mailbox credentials directly from environment variables and provides no guidance about safe handling. While common in test scripts, this can still expose secrets through CI job logs, process inspection in some environments, shell session leakage, or unsafe reuse of production credentials.

VirusTotal

VirusTotal findings are pending for this skill version.