Back to skill

Security audit

quiet-mail

Security checks across malware telemetry and agentic risk

Overview

This is a real email-sending skill, but it needs review because it enables broad agent-controlled outbound email and ships live-looking plaintext mail credentials in test scripts.

Install only if you intentionally want an agent to control an external email account. Remove and rotate the bundled SMTP credentials before use, avoid running the live SMTP test scripts, restrict recipients and sending volume, require explicit human approval before outbound mail, and treat quiet-mail API keys and mailbox passwords as secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (27)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The endpoint documentation explicitly warns that deletion permanently removes the agent and all emails, but the code only sets `deleted_at` in the database and then performs mailbox deletion on a best-effort basis. This mismatch can create a data retention/privacy issue: users and operators may believe data is gone when account records may still remain recoverable or active in downstream logic that does not consistently filter soft-deleted rows.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs users to send recipient addresses, subjects, and message bodies to a third-party email API but does not explicitly warn that this transmits potentially sensitive content off-platform. In an agent skill context, lack of a disclosure/consent warning increases the risk that users or downstream agents send private data without understanding it leaves the local environment.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The base URL advertises an unencrypted local HTTP endpoint without any warning that it is only appropriate for trusted local development. If copied into non-local or containerized/shared-network deployments, API keys and email content could be exposed in transit.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to send email content and recipient addresses to a third-party service but does not explicitly warn that this transmits potentially sensitive data off-platform. In an agent context, this can cause unreviewed disclosure of personal, confidential, or regulated information to an external provider.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The examples recommend storing API keys in a plain local file and environment variables without clearly warning about credential leakage through backups, shell history, process inspection, logs, or multi-user systems. If exposed, the API key can be used to impersonate the agent and send unauthorized email.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The model stores a mailbox password directly in a normal String column, indicating plaintext or reversibly stored credentials in the application database. If the database, ORM logs, backups, or admin tooling are exposed, attackers could recover mailbox credentials and gain access to SMTP/IMAP accounts, enabling message theft, impersonation, and lateral compromise.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The code embeds live SMTP credentials directly in source and uses them to send email programmatically without any disclosure, consent, or secret-handling safeguards. Hardcoded credentials are easily exposed through source control, logs, or artifact leakage, enabling unauthorized mailbox access or abuse of the SMTP account for spam, phishing, or impersonation.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script transmits an email over the network using embedded SMTP credentials and does so automatically when executed, with no user warning, consent, or runtime confirmation. In the context of an agent skill, undisclosed outbound network actions combined with credentialed access increase the risk of unauthorized messaging, data exfiltration, and abuse of the associated mailbox.

Missing User Warnings

High
Confidence
100% confidence
Finding
The file contains a hardcoded SMTP password in plaintext, which is a direct secret exposure vulnerability. Anyone with access to the code can reuse the credential to authenticate to the mail server, send unauthorized email as the account, access related infrastructure depending on credential reuse, or abuse the account for phishing and spam.

External Transmission

Medium
Category
Data Exfiltration
Content
api_key = data["apiKey"]

# Send email
requests.post(
    "https://api.quiet-mail.com/agents/my-bot/send",
    headers={"Authorization": f"Bearer {api_key}"},
    json={
Confidence
95% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
api_key = data["apiKey"]

# Send email
requests.post(
    "https://api.quiet-mail.com/agents/my-bot/send",
    headers={"Authorization": f"Bearer {api_key}"},
    json={
Confidence
95% confidence
Finding
requests.post( "https://api.quiet-mail.com/agents/my-bot/send", headers={"Authorization": f"Bearer {api_key}"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
const {apiKey} = await createResp.json();

// Send email
await fetch('https://api.quiet-mail.com/agents/my-bot/send', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${apiKey}`,
Confidence
94% confidence
Finding
fetch('https://api.quiet-mail.com/agents/my-bot/send', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
# Send email
requests.post(
    "https://api.quiet-mail.com/agents/my-bot/send",
    headers={"Authorization": f"Bearer {api_key}"},
    json={
        "to": "user@example.com",
Confidence
94% confidence
Finding
https://api.quiet-mail.com/

External Transmission

Medium
Category
Data Exfiltration
Content
const {apiKey} = await createResp.json();

// Send email
await fetch('https://api.quiet-mail.com/agents/my-bot/send', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${apiKey}`,
Confidence
94% confidence
Finding
https://api.quiet-mail.com/

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
**Base URL:** `https://api.quiet-mail.com` (or `http://127.0.0.1:8000` for local)

**Philosophy:** Simple, unlimited email for AI agents. No verification required.

---
Confidence
91% confidence
Finding
No verification

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- Agent creation
- Email sending
- Sent email tracking
- No verification required
- Unlimited sending (monitored)
Confidence
90% confidence
Finding
No verification

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
# quiet-mail API

Unlimited email for AI agents. No verification, no limits, just reliable email.

## Features
Confidence
91% confidence
Finding
No verification

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## Features

- ✅ **Unlimited sending** - No 25 email/day limit
- ✅ **No verification** - Instant signup, no Twitter required
- ✅ **RESTful API** - Simple HTTP endpoints
- ✅ **Own infrastructure** - Built on mailcow
- ✅ **100% free** - Always
Confidence
93% confidence
Finding
No verification

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
{
  "name": "quietmail",
  "version": "1.0.0",
  "description": "Unlimited email for AI agents. No verification, no limits, just reliable email.",
  "keywords": [
    "email",
    "ai",
Confidence
88% confidence
Finding
No verification

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
"api_base": "https://api.quiet-mail.com",
      "features": [
        "Unlimited sending",
        "No verification required",
        "1GB storage per agent",
        "Simple REST API",
        "Free forever"
Confidence
91% confidence
Finding
No verification

Credential Access

High
Category
Privilege Escalation
Content
def get_api_key(agent_id):
    """Get API key from database"""
    conn = psycopg2.connect(DB_CONN)
    cur = conn.cursor()
    cur.execute('SELECT api_key FROM agents WHERE id = %s', (agent_id,))
Confidence
93% confidence
Finding
Get API key from

Known Vulnerable Dependency: fastapi==0.109.0 — 1 advisory(ies): CVE-2024-24762 (FastAPI is a web framework for building APIs with Python 3.8+ based on standard )

High
Category
Supply Chain
Confidence
88% confidence
Finding
fastapi==0.109.0

Known Vulnerable Dependency: python-multipart==0.0.6 — 10 advisory(ies): CVE-2024-24762 (python-multipart vulnerable to Content-Type Header ReDoS); CVE-2024-53981 (Denial of service (DoS) via deformation `multipart/form-data` boundary); CVE-2026-53539 (python-multipart: Quadratic-time querystring parsing with semicolon separators c) +7 more

High
Category
Supply Chain
Confidence
99% confidence
Finding
python-multipart==0.0.6

Known Vulnerable Dependency: aiosmtplib==3.0.1 — 1 advisory(ies): CVE-2026-53533 (aiosmtplib vulnerable to SMTP command injection via CR/LF in sender/recipient ad)

Low
Category
Supply Chain
Confidence
76% confidence
Finding
aiosmtplib==3.0.1

Known Vulnerable Dependency: python-jose==3.3.0 — 5 advisory(ies): CVE-2024-33663 (python-jose algorithm confusion with OpenSSH ECDSA keys); CVE-2024-33664 (python-jose denial of service via compressed JWE content); CVE-2024-33663 (python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and ot) +2 more

Critical
Category
Supply Chain
Confidence
98% confidence
Finding
python-jose==3.3.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.