ClawHub
Back to skill

Security audit

163mail

Security checks across malware telemetry and agentic risk

Overview

This is a functional 163.com mail skill, but it ships live-looking mailbox credentials and undocumented scripts that can send fixed emails to a hard-coded recipient.

Treat this version as Review before installing. Do not use the bundled config.json credentials; remove them and rotate the exposed account authorization code. Review or delete send-email.js and send-word-email.js, restore TLS certificate verification, and require explicit confirmation before sending, forwarding, replying, or permanently deleting mail.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
This script is not a neutral document-generation utility: it automatically sends a hard-coded outbound email to a specific recipient with a personal sign-off, while presenting itself as a generic mail skill. In an agent-skill context, that mismatch is dangerous because it can covertly use configured email credentials to contact an unintended third party without the operator's explicit awareness or consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill exposes state-changing actions such as sending, replying, forwarding, and deleting email without clearly warning users that these operations are destructive or externally visible. In an agent setting, this increases the chance of unintended data loss or unauthorized outbound communication if commands are triggered with ambiguous prompts or insufficient confirmation.

Missing User Warnings

High
Confidence
93% confidence
Finding
The delete command permanently removes mail by calling expunge immediately after adding the \Deleted flag, with no confirmation, undo, or soft-delete stage. In an agent skill context, this is dangerous because a mistaken, ambiguous, or prompt-influenced command can irreversibly destroy user data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This file unconditionally sends an email to a hardcoded external recipient when executed, with no user confirmation, no runtime validation of destination, and no safety gating. In an agent skill context, this is risky because the action is externally observable, can leak data or generate unwanted communications, and could be triggered unintentionally or repurposed for spam/phishing-like behavior.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code loads SMTP credentials from configuration and immediately transmits an email and attachment without any user confirmation, preview, or policy gate. In an autonomous or semi-autonomous agent environment, this enables unauthorized external communication and misuse of stored credentials, which can lead to spam, data leakage, or reputational damage.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"description": "163 邮箱收发邮件技能",
  "main": "index.js",
  "dependencies": {
    "docx": "^9.6.1",
    "imap": "^0.8.19",
    "mailparser": "^3.6.5",
    "nodemailer": "^6.9.7"
Confidence
92% confidence
Finding
"docx": "^9.6.1"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"main": "index.js",
  "dependencies": {
    "docx": "^9.6.1",
    "imap": "^0.8.19",
    "mailparser": "^3.6.5",
    "nodemailer": "^6.9.7"
  },
Confidence
92% confidence
Finding
"imap": "^0.8.19"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "docx": "^9.6.1",
    "imap": "^0.8.19",
    "mailparser": "^3.6.5",
    "nodemailer": "^6.9.7"
  },
  "scripts": {
Confidence
95% confidence
Finding
"mailparser": "^3.6.5"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"docx": "^9.6.1",
    "imap": "^0.8.19",
    "mailparser": "^3.6.5",
    "nodemailer": "^6.9.7"
  },
  "scripts": {
    "install-deps": "npm install"
Confidence
96% confidence
Finding
"nodemailer": "^6.9.7"

Known Vulnerable Dependency: mailparser==3.6.5 — 1 advisory(ies): CVE-2026-3455 (mailparser vulnerable to Cross-site Scripting)

Low
Category
Supply Chain
Confidence
86% confidence
Finding
mailparser==3.6.5

Known Vulnerable Dependency: nodemailer==6.9.7 — 5 advisory(ies): GHSA-9h6g-pr28-7cqp (nodemailer ReDoS when trying to send a specially crafted email); GHSA-c7w3-x93f-qmm8 (Nodemailer has SMTP command injection due to unsanitized `envelope.size` paramet); CVE-2025-13033 (Nodemailer: Email to an unintended domain can occur due to Interpretation Confli) +2 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
nodemailer==6.9.7

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal, suspicious.insecure_tls_verification

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
index.js:27

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
index.js:40

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
index.js:44