Jmail World - Search Epstein Files, E-Mails & Messages

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed research skill for querying and downloading public jmail.world archive data, with expected network access and local caching/downloads.

Install only if you are comfortable with a skill that can run local shell scripts, contact the listed jmail.world-related domains, cache public archive datasets in /tmp, and save downloaded PDFs/images to directories you choose. Treat the archive contents as sensitive public records and avoid bulk extraction or profiling beyond lawful, ethical research needs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill exposes shell, network, and environment-backed capabilities without any declared permissions or user-facing permission model. That creates a trust gap: consumers may assume the skill is passive research-only, while in practice it can execute commands and make outbound requests, increasing the risk of unintended downloads, local file writes, or abuse if later expanded.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The documented behavior materially exceeds the declared description by using an additional third-party asset host, performing file downloads, and invoking pdfimages to transform downloaded content into local PNG files. This mismatch can mislead users and security controls about the actual execution surface, causing them to approve a skill that performs broader network and filesystem actions than expected.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The security section makes a misleading assurance that there is no network access beyond cached Parquet files, but the examples show direct reads from remote URLs and separate remote downloads. Inaccurate security claims are dangerous because operators may rely on them when evaluating sandboxing, egress controls, and data-handling risk.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill description frames the capability as querying jmail.world data, but this code also downloads remote binary content from a different domain, writes it to user-chosen directories, and in some cases extracts images from PDFs. That materially expands the trust boundary and attack surface beyond simple search/analysis, creating risk of unexpected remote content ingestion, disk writes, and processing of untrusted files.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The generic download command turns a read/search-oriented archive skill into a remote file export tool that saves externally sourced files to local disk. Even with input validation, this is security-relevant because it enables retrieval and local persistence of untrusted content without strong user-facing warnings, increasing risk in agentic or automated environments.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The skill documents download and extraction operations but does not clearly warn that running them will create files on local disk, potentially in user-specified directories. That can lead to unexpected storage use, overwrites, or policy violations in controlled environments where tools are expected to be read-only unless explicitly stated.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The reference explicitly exposes bulk access to highly sensitive datasets including email bodies, iMessages, photos, and identified people, yet provides no privacy, legal-use, consent, or handling restrictions. In an agent skill context, this materially increases the risk of mass surveillance, doxxing, targeted harassment, and unsafe downstream use of intimate communications and personal data.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: These download paths write remote content to user-specified locations and process PDFs, but the command descriptions and help text do not clearly warn about outbound network access or local filesystem modification. In practice, users or higher-level agents may invoke what appears to be a search utility without realizing it will fetch and persist files from the internet.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The document download feature saves remote files directly to disk with minimal user friction and no explicit safety messaging in the command help. In an automated assistant setting, that hidden side effect is dangerous because it can cause unintended file writes, storage consumption, and introduction of untrusted files into the local environment.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal