ClawHub

Email 163 Com Backup

Security checks across malware telemetry and agentic risk

Overview

This email-management skill is mostly purpose-aligned, but it needs review because it includes real-looking mailbox credentials and broad email read, send, attachment, and deletion powers without enough safeguards.

Install only after replacing all sample credentials, rotating the exposed-looking 163.com authorization code if it was ever real, and avoiding the remote installer. Treat this as full mailbox access: it can read, send, download attachments, move, delete, and permanently expunge mail. Use a dedicated app authorization code, keep the config private, inspect downloaded attachments, and avoid --all or --expunge unless you have verified the exact mailbox scope.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (21)

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The template says the distributed configuration is already preconfigured with the recipient's or sender's mailbox information, implying the packaged skill may contain real account settings or credentials. Sharing a redistributable package with embedded mailbox configuration can leak private account data, tokens, server settings, or secrets to recipients and anyone who intercepts the archive.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documentation embeds what appear to be real 163.com account credentials in a configuration example, which can directly expose mailbox access if valid. Presenting them inside a security/configuration section makes the issue worse because users may treat the values as trusted examples and replicate insecure handling of secrets.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The environment variable example again discloses specific email credentials, potentially granting account access to anyone reading the skill. Because this is framed as secure usage guidance, it normalizes storing and sharing live secrets in documentation, increasing the chance of misuse and credential compromise.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
Piping a remotely downloaded script directly into bash executes unreviewed code with the user's privileges and removes any chance for integrity validation before execution. If the server, DNS, TLS chain, or hosting account is compromised, attackers can deliver arbitrary code for immediate execution.

Missing User Warnings

High
Confidence
95% confidence
Finding
The instructions say the configuration file is already preconfigured, without warning that this may include mailbox settings or secrets. In the context of an email-management skill, preconfigured account data is especially sensitive because it can expose access to mail contents, contacts, and the ability to send mail as the user.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The email-sharing workflow encourages sending a packaged skill via an already configured mail system but does not warn that the archive may include sensitive local files such as configuration, tokens, or mailbox data. Because the package is intended for redistribution, omission of a sensitivity check increases the chance of accidental disclosure.

Missing User Warnings

High
Confidence
99% confidence
Finding
The document includes a concrete plaintext email password in a sample configuration file, which directly exposes credentials and normalizes unsafe secret storage. Anyone with access to the document, filesystem, logs, backups, or screenshots could reuse the credential to access the mailbox and potentially other linked services.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation advertises attachment download to a user-specified output directory without warning about filesystem write risks such as overwriting existing files, unsafe filenames, or writing sensitive content to disk. In an agent/tooling context, examples like this can normalize unsafe usage and increase the chance of unintended file writes when the skill is invoked automatically.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The bulk email loop demonstrates repeated outbound sending without any warning about rate limits, accidental mass mailing, or unintended delivery to recipients. In an agent skill, this is risky because users or automated systems may copy the example directly, causing spam-like behavior, data leakage, or irreversible outbound actions.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The document promotes a skill that can send, read, search, and download email content and attachments, but it does not disclose the privacy and security implications of granting IMAP/SMTP access or handling sensitive mailbox data. For an email-management skill, missing warnings about credential use, mailbox access scope, and possible effects on user data can mislead operators into deploying it without informed consent or adequate safeguards.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to store an email address and 163.com authorization code in a plaintext local config file, but gives no warning about credential sensitivity, file permissions, or safer storage options. Those credentials enable mailbox access and potentially email sending, so if the file is exposed through local compromise, backups, logs, or accidental sharing, an attacker could access the account.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to store the email address and authorization code in a local JSON config file, but provides no warning about credential sensitivity, file permissions, or safer storage options. Even if the auth code is not the primary account password, it still grants mailbox access and could be exposed through weak filesystem permissions, backups, logs, screenshots, or accidental commits.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The report includes example commands for irreversible bulk deletion, including `batch-delete --all --expunge`, in a release recommendation context with minimal safety framing. Although one later example says '危险操作!', the flagged section presents destructive workflows as normal test scenarios and could encourage accidental mass data loss if copied by users.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The report documents successful email sending and attachment transmission, including a real recipient address and local file path, but provides no warning that using these features transfers potentially sensitive content outside the system. In an agent skill context, this can normalize exfiltration-like behavior and mislead users into invoking outbound email actions without understanding privacy and data-sharing consequences.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The report highlights mailbox reading, unread filtering, folder enumeration, and search capabilities without warning that these operations expose potentially sensitive mailbox contents such as subjects, senders, and message metadata. In a skill package, this omission reduces informed consent and may encourage broad mailbox access patterns that users do not realize are privacy-sensitive.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes generic phrases such as "need email management," which can match many unrelated user requests and cause this skill to activate unexpectedly. Because this skill appears to handle email operations, unintended invocation could expose sensitive email actions or route requests to a higher-risk capability without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The tool collects a 163 mail authorization code and persists it to ~/.config/email-163-com/config.json, but the user is not clearly warned that the secret will be stored on disk for future reuse. Although the file mode is restricted to 0600, local credential persistence still increases exposure through backups, endpoint compromise, shell account reuse, or accidental disclosure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Attachment filenames from untrusted email content are decoded and joined directly into the output path before being written to disk. A crafted filename containing path traversal sequences or collisions could overwrite files outside the intended directory or clobber existing files, and the tool gives no warning or safety check before local file creation.

Missing User Warnings

High
Confidence
97% confidence
Finding
The batch-delete command supports deleting arbitrary message sets and can permanently remove them with --expunge, but there is no confirmation prompt, dry-run mode, or explicit irreversible-action warning. Mistakes in IDs, ranges, or use of --all can therefore cause immediate destructive loss of mail data.

Missing User Warnings

High
Confidence
96% confidence
Finding
The batch-move workflow copies messages to a target folder, marks originals deleted, and can permanently remove originals with --expunge without any confirmation or validation that the copy operation completed as expected for the full set. User mistakes or server-side quirks could therefore turn a move into irreversible data loss.

Ssd 3

High
Confidence
98% confidence
Finding
The sharing template explicitly encourages distribution of a config 'already preconfigured' with mailbox information, which can expose private account details or authentication material. In an email skill, leaked configuration can enable unauthorized mailbox access, impersonation, and privacy breaches affecting both the owner and correspondents.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal