Back to skill

Security audit

MAMA

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real multi-account mail assistant, but it needs review because it handles mailbox credentials/content and executes local Python configuration files.

Install only if you trust the publisher and are comfortable granting this skill access to your mailbox. Prefer data-only JSON config, avoid arbitrary --config paths and Python config files, use an app-specific mail credential with the least access available, prefer stdin or environment input over temporary files, protect and periodically clean .temp outputs/raw emails/attachments, and manually review recipients before any --send or --confirm operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
return {}
    module = importlib.util.module_from_spec(spec)
    spec.loader.exec_module(module)
    return {key: getattr(module, key) for key in dir(module) if key.isupper()}


def normalize_recipient(value: str, default_domain: str = DEFAULT_DOMAIN) -> str:
Confidence
92% confidence
Finding
return {key: getattr(module, key) for key in dir(module) if key.isupper()}

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill clearly instructs use of shell commands, local config files, environment/STDIN secret input, file writes, and IMAP/SMTP network access, yet it declares no permissions. This creates a capability-transparency gap: a caller or platform may not realize the skill can access local secrets, read/write mail data, and send network requests, increasing the chance of over-broad invocation or unsafe deployment.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The analyzer loads configuration by importing and executing a local Python file with exec_module(), which gives that file arbitrary code execution in the context of the agent. In a mailbox-processing skill, this is dangerous because a modified or attacker-supplied config can run commands, access mailbox data, or exfiltrate secrets far beyond the stated purpose of email analysis.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The legacy config loader executes a Python file via importlib, which means any code placed in mail_config.py or a caller-supplied path runs with the agent's privileges. For a mailbox configuration helper, treating configuration as executable code creates an unnecessary code-execution surface that can be abused for local RCE, secret theft, or persistence.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code dynamically builds and executes a module from a filesystem path, and load_raw_config() allows arbitrary non-.json paths to reach this path. If an attacker can influence the config path or place a malicious file at an expected location, they can trigger arbitrary code execution inside a component that should only parse mailbox settings.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases include broad everyday terms like '检查邮箱', '查看邮箱', '搜索邮件', '读取邮件', and '发送邮件', which can match routine conversation and invoke a high-impact skill that accesses mail accounts and can prepare or send messages. In this context, accidental activation is more dangerous because the skill has network, file, and mail-manipulation capabilities across one or more accounts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide instructs users or agents to place a sensitive mail client credential in a temporary file under /tmp and then read its first line, but it does not warn about file permissions, residual plaintext on disk, symlink risks, or cleanup after use. In this skill context, the secret is an email authentication value used to access one or more mailbox accounts, so exposure could enable unauthorized mailbox access, email exfiltration, or abuse of the account for sending mail.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The guide defines a broad default keyword set and states that matching applies across subject, sender, body preview, and attachment names, but it provides no scoping, exclusion rules, or account/data minimization constraints. In a multi-account mail agent, this can cause over-collection and processing of sensitive emails unrelated to the user’s immediate task, increasing the chance of privacy leakage, unintended cross-context monitoring, and accidental triggering on benign messages.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide describes a rapid forwarding flow that can attach the original .eml message, but it does not warn that forwarding full raw emails may expose unintended personal data, internal headers, routing metadata, hidden recipients, or sensitive attachments. In a multi-account mail agent, this is more dangerous because users may act quickly across different accounts and accidentally disclose data from the wrong mailbox or to the wrong recipient.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
When --raw-dir is supplied, the script saves full raw .eml messages to disk, which can include complete message bodies, headers, attachment metadata, and potentially sensitive personal or business information. In a multi-account mailbox skill, this increases privacy and data-retention risk because users may not realize that mail content is being persistently stored outside the mail server, where local filesystem permissions, backups, or later exfiltration could expose it.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/analyze_emails.py:70

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/forward_mail.py:33

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/init_config.py:253

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/mail_accounts.py:33