QQemail-agent

Security checks across malware telemetry and agentic risk

Overview

This email-access skill appears purpose-aligned, but it asks for mailbox credentials and persists them locally without enough warning or containment.

Review this skill carefully before installing. Only use it if you are comfortable granting mailbox read/send access, and avoid providing real email credentials unless the publisher documents secure storage, consent before writing .env, how to revoke access, and pinned patched dependencies.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (5)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to solicit an email authorization code from the user and store it, but does not warn that this is a sensitive secret granting mailbox access. Because the code enables IMAP/SMTP access, mishandling it could expose inbox contents and allow unauthorized email sending.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The auto-configuration flow writes mailbox credentials to `.env` without informing the user that secrets will be persisted locally in plaintext and that a file will be modified. This increases the risk of credential leakage through backups, source control, local compromise, or accidental sharing.

Unpinned Dependencies

Low

Category: Supply Chain
Content: imap-tools>=0.5.0 python-dotenv>=1.0.0
Confidence: 94% confidence
Finding: imap-tools>=0.5.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: imap-tools>=0.5.0 python-dotenv>=1.0.0
Confidence: 97% confidence
Finding: python-dotenv>=1.0.0

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low

Category: Supply Chain
Confidence: 89% confidence
Finding: python-dotenv

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal