Back to skill

Security audit

Email Security

Security checks across malware telemetry and agentic risk

Overview

This is a coherent defensive email-safety skill, but it gives email messages from owner/admin addresses too much automatic command authority and encourages full-message logging of risky email content.

Install only if you intentionally want an agent to enforce email-security checks and process email-based commands. Before use, require confirmation for all command execution, restrict allowed email commands, configure owner/admin/trusted lists yourself, avoid full-body logging unless you have a protected forensic workflow, and treat saved attachments as untrusted files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs the agent to read from and write to local files such as `references/owner-config.md`, but no permissions are declared. This creates a capability/permission mismatch that can lead to unintended file access or silent over-privileging, especially because the skill handles untrusted email input and updates persistent configuration.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The description says to use the skill for virtually any interaction with email data, including reading email content and executing email-based commands. That broad activation surface can cause the skill to be invoked in low-trust or ambiguous contexts, increasing the chance that risky behaviors such as command processing or config modification are applied when they should not be.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The policy explicitly requires logging full email content from unknown senders, which can capture sensitive personal data, credentials, tokens, or confidential business content without any minimization, masking, or retention limits. In an email-processing skill, this increases privacy, compliance, and secondary exposure risk because attacker-controlled or third-party content is being persistently stored.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The injection-response procedure says to log the full email when an injection attempt is detected, which preserves adversarial content and any embedded sensitive data verbatim. Because this skill is specifically designed to process potentially hostile email, that behavior expands the blast radius from a blocked attack into long-term storage of toxic or regulated content.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
### From Owner
- Execute immediately
- Log action for audit trail
- No confirmation required (unless explicitly configured)

### From Admin
- Execute immediately
Confidence
81% confidence
Finding
No confirmation

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
references/threat-patterns.md:11