Back to skill

Security audit

Basemail

Security checks across malware telemetry and agentic risk

Overview

The skillโ€™s email workflow matches its purpose, but its wallet setup and secret-handling flows have enough high-impact usability and disclosure issues to require careful review.

Install only if you are comfortable giving the skill wallet-signing authority and BaseMail mailbox access. Use a dedicated low-value wallet, avoid managed setup in logged terminals or CI, treat any displayed mnemonic or echoed wallet password as sensitive, and review ~/.basemail for stored encrypted keys and tokens.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill explicitly requires environment secrets and documents network/API usage, but it does not declare corresponding permissions. This creates a transparency and governance gap: an agent platform may allow the skill to access sensitive environment variables and exfiltrate data over the network without users receiving a clear permission prompt or policy signal.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script tells users that the mnemonic is not saved to disk, but later safety instructions refer to backing up and deleting a mnemonic file as if one exists. In a wallet-creation flow, contradictory recovery guidance can cause users to misunderstand where sensitive material resides, fail to back up the real secret, or search for non-existent files during a critical recovery scenario.

Intent-Code Divergence

Low
Confidence
87% confidence
Finding
The script claims managed mode always encrypts the private key, yet the codebase still references legacy plaintext key paths and uses inconsistent encryption-state variables later (`isEncrypt` appears undefined). In security-sensitive setup tooling, inaccurate guarantees about key handling can mislead operators and increase the chance of unsafe assumptions, broken flows, or accidental exposure during maintenance or future modifications.

Natural-Language Policy Violations

High
Confidence
94% confidence
Finding
The overwrite and continue confirmations are safety-critical, but they are presented only in Chinese. In a wallet-management script, a user who cannot read the prompts may consent to overwriting an existing wallet or fail to understand destructive actions, resulting in irreversible loss of funds or recovery material.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"audit": "node scripts/audit.js"
  },
  "dependencies": {
    "ethers": "^6.0.0"
  },
  "keywords": ["basemail", "email", "ai-agent", "web3", "base"],
  "license": "MIT"
Confidence
92% confidence
Finding
"ethers": "^6.0.0"

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal, suspicious.potential_exfiltration

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/inbox.js:14

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/register.js:25

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/send.js:13

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/register.js:142

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
scripts/inbox.js:44

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
scripts/send.js:45