Thunderbird

Security checks across malware telemetry and agentic risk

Overview

This skill searches local Thunderbird mail and can optionally save or open attachments; those actions are sensitive but are disclosed and user-directed.

Install only if you want an agent to inspect local Thunderbird mail. Use narrow profile, account, folder, date, and limit filters; avoid full-body output unless needed; save attachments only to deliberate locations; and do not open saved attachments unless you trust the sender and file type.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill is documented as a mail-reading/search utility, but the instructions clearly include capabilities that write files to disk (`--save-attachments`) and rely on environment/profile discovery. Undeclared file-write capability is security-relevant because it expands the trust boundary and can persist extracted sensitive data without an explicit permission declaration or user-facing safeguard.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The stated purpose emphasizes reading and searching local Thunderbird mail, but the documented behavior goes further by extracting and saving attachments to arbitrary directories. That mismatch is dangerous because users or policy systems may grant the skill under a lower-risk 'read/search' assumption while it can actually copy sensitive payloads out of mail stores onto disk.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The documentation instructs the agent to open extracted attachments with external applications, which extends the skill from passive mail inspection into active execution/launch of untrusted content. Opening email attachments can trigger malicious documents, scripts, or application exploits on the host, making this significantly more dangerous than simple local search.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Authorizing use of the system default opener from the CLI gives the skill a generic application-launch capability that is not necessary for answering inbox or mail-search questions. This is dangerous because it can cause execution of untrusted files or invoke vulnerable applications through attacker-controlled attachment formats.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill advertises read/search access to local Thunderbird storage, but `maybe_save_attachments` creates directories and writes attachment bytes to arbitrary user-specified paths. This expands the capability from passive inspection to filesystem modification, which can surprise users, violate least privilege, and be abused to persist sensitive email attachments outside Thunderbird's protected storage.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: At the call site, matching results trigger attachment saving after search completion, confirming that the tool performs writes as part of normal operation even though its stated purpose is reading and searching mail. In a security-sensitive agent environment, undeclared write behavior is dangerous because it can exfiltrate or duplicate sensitive content onto disk without the user expecting state changes.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill allows saving attachments from local mail to disk but does not clearly communicate the privacy, retention, and data-handling consequences of copying potentially sensitive files out of Thunderbird storage. This increases the risk of unintended disclosure, persistence in insecure locations, or mishandling of regulated data.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The code writes attachments to disk with no interactive warning, confirmation, or audit-oriented notice beyond the existence of a CLI flag. Because email attachments may contain sensitive or executable content, silently materializing them on disk can create privacy, malware-handling, and data residency risks for users who believed the skill was read-only.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal