Cerbug45 Email Formatter

Security checks across malware telemetry and agentic risk

Overview

This looks like a defensive email-formatting skill, but it needs review because it can automatically install packages, alter the local Python environment, and create persistent helper files.

Install only after reviewing the setup behavior. Prefer running it in an isolated environment or virtual environment, do not allow automatic pip installs with --break-system-packages, and avoid using it for highly sensitive email drafts unless you are comfortable with local temporary files and command-line processing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (14)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 97% confidence
Finding: The skill declares itself as a simple email-formatting tool, but the document contains shell execution, package installation, model downloads, and Python scripts that exercise network and local command capabilities. Undeclared execution/network behavior expands the trust boundary and can surprise a host agent into running commands with user privileges.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The advertised function is email polishing, but the skill also performs security triage, incident handling, local environment modification, dependency installation, and repository updates. This mismatch can cause agents or users to grant the skill broader authority than intended, increasing the chance of unsafe execution and inappropriate handling of user content.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: An email-formatting skill should not instruct agents to install packages, download models, or pull remote updates during normal use. Remote dependency installation introduces supply-chain and execution risks, especially when performed automatically and without pinning or integrity verification.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill embeds a large security-scanning and incident-response subsystem that is not necessary for polishing email drafts. Even if intended as safety guidance, this broadens data processing and decision-making scope, creating privacy, overblocking, and misuse risks beyond the stated purpose.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The workflow directs the agent to modify the local environment by creating directories and installing software for a task that should be achievable without host changes. Unnecessary environment modification increases attack surface and persistence opportunities on the machine running the skill.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The document claims privacy-safe logging should avoid storing email content, but the scanner records matched regex patterns and other diagnostic fields that can reveal fragments or categories derived from sensitive user messages. This creates a contradiction between stated privacy guarantees and actual logging behavior, risking leakage of private or regulated content.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The installer attempts to install additional Python packages with pip, including using the high-risk --break-system-packages flag, even though the declared skill is only for email formatting. This expands the host environment, changes user or system Python state, and introduces unnecessary supply-chain and environment-modification risk beyond the skill's stated purpose.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The installer executes security_scan.py during installation, which introduces behavior unrelated to the manifest's email-formatting purpose and runs extra code on the user's machine at install time. Even if the current test input is benign, executing auxiliary code during install increases attack surface and could conceal unexpected data processing or later abuse if the helper script is modified.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The generated configuration and user-facing output advertise security scanning commands and helper scripts that are outside the stated scope of an email-formatting skill. This capability mismatch is dangerous because it normalizes unexpected functionality, making users more likely to trust and run components they did not consent to install for this purpose.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The implementation is fundamentally inconsistent with the declared skill purpose: instead of formatting or polishing emails, it performs security-policy screening and can block processing entirely. In an agent ecosystem, this capability mismatch is dangerous because it gives a seemingly benign formatting skill hidden moderation and denial behavior that can suppress user content, interfere with routing, and violate least-privilege expectations.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code enforces broad moderation categories such as harassment, discrimination, academic dishonesty, manipulation, and false-information detection, which are unrelated to basic email polishing. This expands the skill's authority beyond user expectations and creates covert content-governance behavior inside a low-risk utility, increasing the chance of inappropriate blocking, censorship, or misuse in downstream workflows.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The module docstring explicitly states that the file scans emails for security red flags, directly contradicting the manifest's representation as an email formatter. This deceptive or mismatched documentation is dangerous because it signals the skill was packaged under misleading metadata, which can cause operators and orchestrators to trust and invoke code with capabilities they did not intend to grant.

Session Persistence

Medium

Category: Rogue Agent
Content: echo "📚 Downloading language model..." python3 -m spacy download en_core_web_sm --quiet 2>/dev/null || true # Create helper scripts directory mkdir -p "$SKILL_DIR/scripts" # Test installation
Confidence: 95% confidence
Finding: Create helper scripts directory mkdir -p "$SKILL_DIR/scripts" # Test installation if python3 -c "import language_tool_python; import textstat; import spacy" 2>/dev/null; then echo "✅ Email Format

Session Persistence

Medium

Category: Rogue Agent
Content: ## Helper Scripts & Tools The skill includes utility scripts for AI agents to use. Create these in `~/.email-formatter-skill/scripts/`: ### 1. Grammar Checker (`grammar_check.py`)
Confidence: 96% confidence
Finding: Create these in `~/.email-formatter-skill

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal