MailMolt - Email for AI Agents

Security checks across malware telemetry and agentic risk

Overview

MailMolt is a legitimate-looking agent email integration, but its broad triggers and default state changes deserve review before installation.

Install only if you want the agent to operate a separate MailMolt email identity. Keep send/reply approval enabled, use the lowest MailMolt permission level that works, disable auto_mark_read if unread state matters, protect the API key, and review any optional webhook or workflow configuration before enabling it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (8)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The handler is documented and named as a read operation, but it also performs a state-changing PATCH that marks the thread as read by default. In an agent setting, this is dangerous because a seemingly harmless 'read' action can silently alter mailbox state, hide unread items, and violate user expectations or audit workflows.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger phrase "Check my email" is very broad and maps to a high-impact capability that reads private communications. In a multi-skill environment, ordinary user speech could unintentionally invoke this skill and cause email access or disclosure without sufficiently explicit user intent or account/context confirmation.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The phrase "Send an email to user@example.com about [topic]" is an overly generic natural-language trigger for an external side effect. Because sending email can transmit sensitive data or contact unintended recipients, ambiguous activation materially increases the risk of accidental outbound communication.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger set includes very broad phrases such as "messages," "my emails," and similar natural-language terms that can easily collide with ordinary user conversation. In a communication skill that can read, send, and manage email, accidental invocation can expose message contents or cause unintended email-related actions without the user explicitly targeting MailMolt.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The regex-like trigger "what did .* say" is highly ambiguous and can match many ordinary conversational requests unrelated to email. Because this skill has access to inbox contents, such a trigger could cause the agent to open or summarize email threads when the user intended a general question about a person, creating an avoidable privacy and authorization risk.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: Generic triggers like "write to," "message to," "reply to," and "respond to" can match common assistant requests that are not meant to send email. In this skill's context, unintended routing to send or reply handlers is more dangerous than read-only actions because it can generate outbound communications to humans or other agents, causing data leakage, spoofed messaging, or operational mistakes.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The heartbeat handler includes vague phrases like "check status," "what should I do," and "action items," which overlap with normal assistant behavior rather than a clearly scoped MailMolt command. Because heartbeat appears designed to fetch remote status and tasks, accidental invocation could leak context externally or alter the user's workflow by prioritizing service-provided actions unexpectedly.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Emails are automatically marked as read without any user-facing warning, confirmation, or opt-in at the point of use. In an autonomous agent context, this can cause silent state changes that affect triage, notifications, and business processes, especially when the user expected only passive inspection.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal