IMAP/SMTP Email (Plus)

Security checks across malware telemetry and agentic risk

Overview

This email skill mostly does what it says, but it has a real unsafe attachment-download file write risk and broad mailbox authority that should be reviewed before installation.

Install only if you are comfortable granting the agent access to read, search, mutate, and send mail for the configured account. Use a dedicated mailbox or app password, protect or avoid the .env file, review recipients and attachment paths before sending, and do not download attachments from untrusted messages until filenames are sanitized and writes are confined to the chosen directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill clearly uses sensitive capabilities: environment variables for credentials and network access to IMAP/SMTP servers, but the metadata does not declare those permissions. This can mislead reviewers and users about the skill's trust boundary, especially because it handles mailbox contents and outbound email actions using stored secrets.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The documented behavior exceeds the stated purpose by including mailbox-moving, mailbox enumeration, attachment download to local disk, credential collection/writing, and test-email transmission. That mismatch is dangerous because users may authorize a skill expecting simple read/send behavior, while it also performs additional state-changing and data-exporting actions that increase privacy and integrity risk.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The documentation understates the skill's ability to move messages and save attachments locally, both of which materially expand risk beyond passive email access. In an email skill, downloading attachments to disk can introduce sensitive-data sprawl, and moving messages can alter user records or workflows.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README instructs users to configure real IMAP/SMTP credentials and use the skill to read and send email, but it does not clearly warn that the skill can access mailbox contents, transmit data to external recipients, and perform account-impacting actions such as marking messages read or sending attachments. In an email automation context, omission of privacy and account-risk warnings can mislead users into granting sensitive access without understanding the consequences, increasing the chance of unintended disclosure or misuse.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill supports actions that modify mailbox state, such as marking messages read/unread and moving them between folders, but does not prominently warn users that these are destructive or state-changing operations. In an email context, such changes can hide unread mail, disrupt automation, interfere with audits, or alter business workflows.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill processes highly sensitive data—email contents, attachments, recipients, mailbox metadata, and account credentials—and communicates with external mail servers, yet the description does not provide a clear privacy warning. Users may therefore underestimate the sensitivity of the accessed data and the exposure created by transmitting or storing it locally.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Attachment filenames from untrusted email content are joined directly with the user-controlled output directory and written to disk without sanitization. A malicious attachment name such as '../../.ssh/authorized_keys' or an absolute path could cause path traversal and overwrite arbitrary local files accessible to the process.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The test command performs a real outbound side effect by sending an email to the configured account, but the command name and flow do not clearly warn that it sends mail rather than only verifying connectivity. In an agent setting, this can cause unintended external actions, generate noise, leak metadata, or surprise users who expected a non-delivering health check.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script stores the user's email password or app password in plaintext in a local .env file, which can be read by other local users, accidentally committed to version control, or exposed by backups and logs. In an email skill, these credentials typically grant broad mailbox access and outbound mail capability, so compromise can lead to account takeover, message exfiltration, and phishing abuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal