Back to skill

Security audit

BotEmail.ai - Free bot email

Security checks across malware telemetry and agentic risk

Overview

This is a coherent BotEmail.ai inbox skill with sensitive verification-code capabilities that are disclosed and purpose-aligned, but users should treat it as access to authentication emails.

Install only if you are comfortable routing bot or test-account email through BotEmail.ai. Protect the generated API key like a password, avoid using this for real-user or high-value production 2FA flows, confirm before deleting inbox contents or enabling heartbeat monitoring, and review the optional MCP server separately before installing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
The skill explicitly promotes automated retrieval of 2FA codes, which can facilitate bypass of step-up authentication and weaken account security controls. Because the skill is designed to receive verification and authentication messages automatically, it materially increases the risk of credential abuse or unauthorized account access when paired with other compromised credentials.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.