Back to skill

Security audit

Email Intelligence Assistant

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its email-assistant purpose, but it has under-disclosed third-party credential validation and unsafe/unclear side-effect controls around sensitive email data.

Install only after reviewing the data flows. Use a dedicated app password for email, a revocable AI API key, and a restricted Feishu webhook. Do not rely on --dry-run for a no-side-effect test. Avoid using this with regulated or highly confidential mailboxes unless you add redaction/consent controls, document the AI/Feishu transfers, and remove or clearly accept the yk-global token validation behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The skill documentation contains a material contradiction: it claims the system is read-only and performs no sending or deleting, while other sections advertise reply generation, real-time push notifications, and batch replies. This mismatch can mislead users and reviewers about the actual capabilities and trust boundaries of the skill, increasing the risk of unauthorized outbound communication, over-privileged deployment, or unsafe approval of automation that is believed to be passive.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The script advertises a '--dry-run' mode but never uses the parsed flag to suppress side effects. As written, it still connects to IMAP, classifies mail, generates replies, and may push summaries to Feishu, which can cause unintended data disclosure or operational actions when an operator expected a safe preview.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The listing explicitly describes fetching mailbox contents, classifying messages with an external AI API, and pushing urgent alerts to Feishu, but it does not warn users that email content or extracted summaries may be transmitted to third-party services. Because email often contains sensitive personal, business, or credential-related data, this omission can lead to unintentional data disclosure and unsafe deployment in regulated or privacy-sensitive environments.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README describes a workflow that retrieves mailbox contents, classifies emails with AI, generates replies, and pushes summaries to Feishu, but it does not clearly warn users that email content and metadata may be transmitted to third-party services. In a customer-service context, emails often contain personal, financial, or confidential business data, so omission of an explicit privacy/data-handling warning increases the risk of unintentional sensitive-data disclosure.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Unread email contents are sent into external AI classification/reply-generation components and optionally summarized to Feishu, but this file provides no explicit consent prompt, warning, or data-minimization safeguards. In an email-processing skill, that creates a meaningful privacy and confidentiality risk because sensitive customer messages may leave the mailbox boundary unexpectedly.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
When AI classification is enabled, the code sends email subject/body content to an external OpenAI-compatible API without any consent, notice, data-minimization guardrails, or trust validation of the configured endpoint. Because emails commonly contain sensitive personal, financial, or account data, this can cause unintended data disclosure to third parties or to a misconfigured/self-hosted endpoint.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The module sends email metadata and content-derived summaries to Feishu, including sender, subject, date, category, and reply suggestions, which can expose potentially sensitive customer or business information to an external third-party service. There is no built-in consent check, redaction, privacy notice, or policy gate before transmission, so deployments may unintentionally leak regulated or confidential data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code sends email subject/body and sender data to an external AI provider via the OpenAI API, but this file contains no consent, warning, redaction, or data-classification controls before transmission. In a mail-processing context, emails may contain sensitive personal, commercial, or regulated data, so silent third-party disclosure creates a real privacy and compliance risk.

Unpinned Dependencies

Low
Category
Supply Chain
Content
imapclient>=2.3.0
email>=4.0.0
openai>=1.0.0
pyyaml>=6.0
Confidence
93% confidence
Finding
imapclient>=2.3.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
imapclient>=2.3.0
email>=4.0.0
openai>=1.0.0
pyyaml>=6.0
requests>=2.28.0
Confidence
97% confidence
Finding
email>=4.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
imapclient>=2.3.0
email>=4.0.0
openai>=1.0.0
pyyaml>=6.0
requests>=2.28.0
Confidence
93% confidence
Finding
openai>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
imapclient>=2.3.0
email>=4.0.0
openai>=1.0.0
pyyaml>=6.0
requests>=2.28.0
Confidence
98% confidence
Finding
pyyaml>=6.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
email>=4.0.0
openai>=1.0.0
pyyaml>=6.0
requests>=2.28.0
Confidence
97% confidence
Finding
requests>=2.28.0

Known Vulnerable Dependency: pyyaml — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical
Category
Supply Chain
Confidence
96% confidence
Finding
pyyaml

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
95% confidence
Finding
requests

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.