ClawHub

quiet-mail

Security checks across malware telemetry and agentic risk

Overview

This is a real agent-controlled email service, but it needs review because it bundles live-looking email credentials and enables broad outbound email with weak safeguards.

Install only if you intentionally want an agent to control an external email account. Rotate or remove the bundled SMTP credentials before any use, avoid running the live SMTP test scripts, restrict recipients and sending volume, require human approval for outbound mail, and treat quiet-mail API keys and mailbox passwords as secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (24)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The file implements real outbound email delivery using authenticated SMTP with hardcoded credentials, despite no stated legitimate business need or safety controls. This creates an abuse path for unauthorized email sending, account misuse, spam/phishing activity, and compromise of the associated mail account if the code is exposed or reused.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The docstring labels the code as a harmless test, but it performs an actual authenticated SMTP send to a live server. Misrepresenting real network actions as a test reduces scrutiny, increases the chance of accidental execution, and can conceal behavior that sends messages or validates stolen credentials against an external service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to send email content, recipient addresses, and bearer tokens to a third-party remote API without clearly warning that message bodies and metadata leave the local environment. In an agent context, this can cause unreviewed exfiltration of sensitive prompts, PII, or secrets through automated email-sending flows.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises capabilities to send email, list inbox contents, delete agents, and handle one-time API keys, but provides no warnings about privacy exposure, account/data deletion, or the sensitivity of mailbox contents and credentials. In an agent-facing context, this omission increases the chance that operators or downstream agents invoke destructive or privacy-impacting actions without informed consent or proper safeguards.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly promotes sending emails and using addresses for third-party service signups, but it does not include guardrails around consent, privacy, lawful use, or handling of personal data. In an agent context, this can normalize unsolicited outreach, account creation with shared infrastructure, and transmission of user data to an external mail provider without informed approval.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script prints the full API response and then explicitly echoes the newly issued API key to stdout. This exposes credentials to terminal scrollback, shell logging, CI job logs, and screen recordings, making accidental credential disclosure likely even if the API call itself is legitimate.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code uses SMTP credentials and sends email without any user-facing warning, consent, or disclosure, which is risky in an agent skill context where users may not expect external communications. Combined with embedded credentials, this can enable silent data exfiltration, unauthorized message transmission, or covert account usage.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
This script embeds a real SMTP username and password directly in source code and then uses them to send email over the network automatically. Hardcoded credentials are highly sensitive because anyone with access to the file can reuse them to access the mailbox or SMTP service, send unauthorized email, and potentially pivot into broader account compromise or abuse.

External Transmission

Medium
Category
Data Exfiltration
Content
api_key = data["apiKey"]

# Send email
requests.post(
    "https://api.quiet-mail.com/agents/my-bot/send",
    headers={"Authorization": f"Bearer {api_key}"},
    json={
Confidence
90% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
api_key = data["apiKey"]

# Send email
requests.post(
    "https://api.quiet-mail.com/agents/my-bot/send",
    headers={"Authorization": f"Bearer {api_key}"},
    json={
Confidence
90% confidence
Finding
requests.post( "https://api.quiet-mail.com/agents/my-bot/send", headers={"Authorization": f"Bearer {api_key}"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
const {apiKey} = await createResp.json();

// Send email
await fetch('https://api.quiet-mail.com/agents/my-bot/send', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${apiKey}`,
Confidence
90% confidence
Finding
fetch('https://api.quiet-mail.com/agents/my-bot/send', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
### 2. Send an Email

```bash
curl -X POST https://api.quiet-mail.com/agents/my-agent/send \
  -H "Authorization: Bearer qmail_abc123..." \
  -H "Content-Type: application/json" \
  -d '{
Confidence
93% confidence
Finding
https://api.quiet-mail.com/

External Transmission

Medium
Category
Data Exfiltration
Content
### 3. List Sent Emails

```bash
curl https://api.quiet-mail.com/agents/my-agent/sent \
  -H "Authorization: Bearer qmail_abc123..."
```
Confidence
78% confidence
Finding
https://api.quiet-mail.com/

External Transmission

Medium
Category
Data Exfiltration
Content
# Send email
requests.post(
    "https://api.quiet-mail.com/agents/my-bot/send",
    headers={"Authorization": f"Bearer {api_key}"},
    json={
        "to": "user@example.com",
Confidence
90% confidence
Finding
https://api.quiet-mail.com/

External Transmission

Medium
Category
Data Exfiltration
Content
const {apiKey} = await createResp.json();

// Send email
await fetch('https://api.quiet-mail.com/agents/my-bot/send', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${apiKey}`,
Confidence
90% confidence
Finding
https://api.quiet-mail.com/

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
**Base URL:** `https://api.quiet-mail.com` (or `http://127.0.0.1:8000` for local)

**Philosophy:** Simple, unlimited email for AI agents. No verification required.

---
Confidence
92% confidence
Finding
No verification

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- Agent creation
- Email sending
- Sent email tracking
- No verification required
- Unlimited sending (monitored)
Confidence
92% confidence
Finding
No verification

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
# quiet-mail - Email for AI Agents

**Unlimited email for AI agents. No verification, no limits, just reliable email.**

---
Confidence
92% confidence
Finding
No verification

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## Why quiet-mail?

✅ **Unlimited sending** - No 25/day limit like ClawMail  
✅ **No verification** - Instant signup, no Twitter required  
✅ **Simple API** - Create agent, send email, done  
✅ **Free forever** - No hidden costs, no usage fees  
✅ **Own infrastructure** - Reliable mailcow stack, not dependent on third parties
Confidence
91% confidence
Finding
No verification

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
**Q: Is this really unlimited?**  
A: Yes, with trust-based monitoring. Don't abuse it and you're good. We're watching the first 100 signups carefully.

**Q: Why no verification?**  
A: Friction kills adoption. We trust agents and monitor for abuse instead.

**Q: Can I read emails too?**
Confidence
88% confidence
Finding
no verification

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## Why We Built This

ClawMail is great but has limits (25 emails/day, Twitter verification). We wanted something simpler for individual AI agents. No verification, no limits, just reliable email.

Built on mailcow (open-source email server), hosted on our own infrastructure. No third-party dependencies.
Confidence
90% confidence
Finding
No verification

Credential Access

High
Category
Privilege Escalation
Content
def get_api_key(agent_id):
    """Get API key from database"""
    conn = psycopg2.connect(DB_CONN)
    cur = conn.cursor()
    cur.execute('SELECT api_key FROM agents WHERE id = %s', (agent_id,))
Confidence
90% confidence
Finding
Get API key from

Session Persistence

Medium
Category
Rogue Agent
Content
## Quick Start

### 1. Create an Agent

```bash
curl -X POST https://api.quiet-mail.com/agents \
Confidence
82% confidence
Finding
Create an Agent ```bash curl -X POST https://api.quiet-mail.com/agents \ -H "Content-Type: application/json" \ -d '{ "id": "my-agent", "name": "My AI Assistant" }' ``` **Response:** ``

Session Persistence

Medium
Category
Rogue Agent
Content
```python
import requests

# Create agent
resp = requests.post(
    "https://api.quiet-mail.com/agents",
    json={"id": "my-bot", "name": "My Bot"}
Confidence
86% confidence
Finding
Create agent resp = requests.post( "https://api.quiet-mail.com/agents", json={"id": "my-bot", "name": "My Bot"} ) api_key = resp.json()["apiKey"] # Send email requests.post( "https://api.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal