Back to skill

Security audit

Ethermail

Security checks across malware telemetry and agentic risk

Overview

This EtherMail skill is mostly coherent, but it asks users to use a raw Ethereum private key with automatic WalletConnect signing, which deserves careful review before installation.

Install only if you specifically want EtherMail access through an Ethereum wallet. Do not use a primary or funded wallet key; use a dedicated low-value wallet, inspect the separate walletconnect-agent before using it, prefer manual or hardware-backed signing where possible, and run the browser automation in an isolated environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The skill advertises broad email access capabilities, but the documented behavior centers on extracting a WalletConnect URI from EtherMail’s login flow and using a local private key to complete wallet-based authentication. That mismatch is dangerous because it can cause an agent or user to invoke the skill for ordinary email tasks while instead initiating sensitive wallet-signing activity and browser scraping against an authentication surface.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description uses broad phrases like checking or sending emails, receiving notifications, and communicating with other agents, which could cause automatic skill selection for generic email requests. In context, this is risky because the skill involves Web3 wallet connection and signing, so accidental activation could prompt sensitive authentication steps unrelated to the user’s intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instructions tell the operator to export a raw PRIVATE_KEY and run a script that will automatically sign a WalletConnect request, but they do not place a strong warning at the point of use about key handling, signing authority, or the consequences of connecting to an externally supplied WC URI. This increases the chance of credential leakage, misuse of a hot wallet, or unintended signing against a malicious or spoofed session.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"extract-uri": "node scripts/extract-wc-uri.js"
  },
  "dependencies": {
    "puppeteer": "^21.0.0"
  },
  "keywords": ["ethermail", "web3", "email", "walletconnect", "ai-agent"],
  "license": "MIT"
Confidence
92% confidence
Finding
"puppeteer": "^21.0.0"

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.