Back to skill

Security audit

QQ Email Manager

Security checks across malware telemetry and agentic risk

Overview

This email skill appears to do what it claims, but it can read and send mail using stored credentials and attach arbitrary local files without built-in confirmation safeguards.

Review before installing. Use an app-specific email password, restrict access to the config file, keep it out of version control, and require manual review of recipients, message body, reply-all/forward targets, and every attachment path before allowing the agent to send mail.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly performs network access to IMAP/SMTP services and reads local configuration files containing mailbox credentials, yet no permissions are declared. This creates a transparency and governance gap: the agent can access sensitive email content and authenticate to external services without explicit user-facing permission boundaries or review metadata.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This skill enables high-impact actions such as reading mail, sending messages, replying, forwarding, and handling mailbox credentials, but the documentation does not warn about privacy exposure, account misuse, or irreversible actions. In the context of email, missing consent and safety guidance is more dangerous because the tool can expose confidential communications and send messages as the user.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The send command accepts arbitrary local file paths from the caller and attaches those files to outbound email with no allowlist, path restriction, consent checkpoint, or sensitivity screening. In an agent setting, this creates a clear exfiltration path: if the agent is induced to supply paths such as configuration files, keys, tokens, or internal documents, the script will read and transmit them off-host.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.