Inbox Cleanup

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed, user-run IMAP cleanup tool, but users should be careful because it can permanently delete or archive mailbox messages when run live.

Install only if you are comfortable giving a local script IMAP access to your mailbox. Run dry-run first, review the matched counts and subjects, populate leave_domains for banks, payment processors, auth, legal, receipts, and other important senders, and avoid disabling TLS verification except for a trusted local bridge or equivalent controlled setup.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script allows TLS certificate verification to be disabled via --imap-skip-cert-verify / IMAP_SKIP_CERT_VERIFY, and it does not present a strong runtime warning or require an explicit high-friction acknowledgment. If used against a remote IMAP endpoint, this enables man-in-the-middle interception of mailbox credentials and message contents, especially because the tool performs authenticated bulk mailbox operations.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal