Mufi Email Manager

Security checks across malware telemetry and agentic risk

Overview

This is a coherent email-management skill, but it handles real mailbox credentials and should be used carefully with updated dependencies.

Install only if you are comfortable giving this skill access to the configured mailboxes. Use app passwords where available, keep the .env file private, review any reply before invoking the send command, avoid adding cron jobs unless you want recurring mailbox access, and update dependencies before regular use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The library exposes write-capable IMAP operations that change message state by adding or removing the \Seen flag. In the context of a skill described primarily as reading, summarizing, filtering, and digesting email, this is a real scope-expansion risk because downstream callers can silently alter mailbox state and affect what users perceive as unread mail.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill documents automatic reply behavior and custom outbound replies without a prominent warning that it will send email on the user's behalf. In an email-management context, this can lead to unintended external communication, accidental disclosure, reputational damage, or message loops if users do not understand that invoking the feature transmits mail immediately.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The digest feature states that mailbox summaries can be sent as HTML email but does not clearly warn that message-derived content may be transmitted to configured recipients. Because digests may contain sensitive subjects, names, or categorized mailbox data, misconfiguration or unreviewed sending could leak private information outside the intended audience.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The functions provide mailbox state changes without any built-in warning, confirmation, or policy checks, allowing callers to alter unread/read status silently. That can mislead users, interfere with triage workflows, and create integrity issues in an email-management context where message state carries operational meaning.

Known Vulnerable Dependency: mailparser==3.7.1 — 1 advisory(ies): CVE-2026-3455 (mailparser vulnerable to Cross-site Scripting)

Low

Category: Supply Chain
Confidence: 85% confidence
Finding: mailparser==3.7.1

Known Vulnerable Dependency: nodemailer==6.9.16 — 4 advisory(ies): GHSA-c7w3-x93f-qmm8 (Nodemailer has SMTP command injection due to unsanitized `envelope.size` paramet); CVE-2025-13033 (Nodemailer: Email to an unintended domain can occur due to Interpretation Confli); CVE-2025-14874 (Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls) +1 more

High

Category: Supply Chain
Confidence: 95% confidence
Finding: nodemailer==6.9.16

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal