Send Email Tool

Security checks across malware telemetry and agentic risk

Overview

This email skill appears purpose-built rather than malicious, but it should be reviewed because it can persist email credentials in easily reversible local files and can email local files or images externally.

Install only if you are comfortable giving the skill SMTP sending authority. Use a dedicated app password, verify keyring works before saving credentials, and avoid or delete ~/.send_email_password and ~/.send_email_username if created. Review recipients, CC/BCC, attachments, Markdown image paths, and inline-image paths before sending, especially when using automation or cron.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (15)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill documentation describes capabilities to read local files, write configuration and credential backup files in the user's home directory, and execute shell commands, yet no permissions are declared. This creates a transparency and consent gap: an agent may invoke file and shell operations users did not explicitly authorize, increasing the chance of unintended data access or modification.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The declared purpose says this is an SMTP email sender, but the documented behavior extends to credential storage, persistent local file writes, template loading, Markdown conversion, and automatic embedding of local images. This mismatch is dangerous because users may approve a seemingly simple mail-sending skill without realizing it can persist secrets and ingest arbitrary local content into outbound emails.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The document claims keyring use is mandatory and safe, but then states the tool falls back to storing credentials in base64-encoded files under the user's home directory. Base64 is not encryption, so this can expose email credentials to local compromise, backups, or accidental disclosure while giving users a false sense of security.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The guidance says not to pass the sender email on the command line, but the setup instructions explicitly use `--email` in a command example. This inconsistency encourages secret-bearing or identity-bearing CLI usage that may be exposed through shell history, process listings, logs, or agent transcripts.

Intent-Code Divergence

Low

Confidence: 90% confidence
Finding: The recommendations assert credentials will not be exposed on the command line or in context, but other documented examples instruct users to pass the sender email as a CLI argument. Even if this example concerns username rather than password, the contradiction degrades operator trust and can normalize exposing sensitive account metadata in logs and shell history.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill persists SMTP credentials and, if keyring is unavailable, falls back to local files in the user's home directory. Although the fallback uses base64 and chmod 0600, base64 is not protection and local plaintext-equivalent credential storage increases the risk of credential disclosure on shared hosts, backups, or through other local compromise.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The example instructs users to send the contents of a local Markdown file directly as an email body and describes automatic embedding of referenced local images, but it does not warn that those local files and image contents will be transmitted to an external recipient. In a mail-sending skill, this can lead to accidental exfiltration of sensitive local content if users test with real files or forget to replace placeholder paths.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The inline-image example tells users to pass a local filesystem path via --inline-images and send the message, but it omits a clear warning that the referenced image file will be embedded into the outgoing email. Because the skill's purpose is external transmission, the lack of disclosure increases the risk of unintentionally sending private local images or other files to third parties.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The document instructs users to send the Markdown file directly and states that images will be automatically extracted, converted, and embedded, but it does not warn that local image files referenced by path may be read from disk and transmitted to email recipients. In an email-sending skill, this can cause unintended disclosure of local files or recipient-visible content when users test with real paths or sensitive documents.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: When keyring fails, the code stores the SMTP password in a backup file using only base64 encoding and does not provide a strong, explicit warning at the point of storage that this is not secure. Users may incorrectly assume their password is safely protected, leading to avoidable credential exposure.

Credential Access

High

Category: Privilege Escalation
Content: ### ⚠️ 重要：密码安全本技能**强制使用 keyring** 管理发件人邮箱和密码，避免敏感信息暴露在命令行或上下文中。 ### 安装 keyring
Confidence: 95% confidence
Finding: keyring

Credential Access

High

Category: Privilege Escalation
Content: # 配置发件人名称 python3 send_email.py sender --name "Your Name" # 保存发件人邮箱到 keyring python3 send_email.py username --save --email your-email@gd.chinamobile.com # 查看当前配置
Confidence: 92% confidence
Finding: keyring

Credential Access

High

Category: Privilege Escalation
Content: 8. **测试：** 首次使用时，建议先发送测试邮件给自己 9. **keyring 备用方案：** 如果 keyring 不可用，密钥会保存在 `~/.send_email_password` 和 `~/.send_email_username`（base64 编码），文件权限为 600。注意这不是加密，仅避免明文存储。 ## 安全流程
Confidence: 99% confidence
Finding: keyring

Credential Access

High

Category: Privilege Escalation
Content: 8. **测试：** 首次使用时，建议先发送测试邮件给自己 9. **keyring 备用方案：** 如果 keyring 不可用，密钥会保存在 `~/.send_email_password` 和 `~/.send_email_username`（base64 编码），文件权限为 600。注意这不是加密，仅避免明文存储。 ## 安全流程
Confidence: 99% confidence
Finding: keyring

Session Persistence

Medium

Category: Rogue Agent
Content: 添加到 cron： ```bash crontab -e # 添加：每天早上 8:00 执行 0 8 * * * ~/clawd/skills/send-email/scripts/send-x-news.sh ```
Confidence: 86% confidence
Finding: crontab -e

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal