Back to skill

Security audit

MailMolt - Email for AI Agents

Security checks across malware telemetry and agentic risk

Overview

MailMolt appears to be a real agent email integration, but it should be reviewed because broad triggers and direct outbound email handlers can cause unintended email access or sending.

Install only if you want the agent to operate a separate MailMolt email identity. Keep outbound approval controls enabled, use the lowest permission level that meets your needs, narrow or review triggers if your OpenClaw setup allows it, disable auto_mark_read if unread state matters, and do not let the agent email credentials, private documents, or sensitive operational details unless you explicitly approve the exact recipient and content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill actively enables sending email to arbitrary external recipients and includes examples like emailing a human owner, but it does not clearly warn against transmitting secrets, personal data, or sensitive operational context over external email. In an agent setting, this omission can lead to inadvertent data exfiltration, especially if the agent summarizes internal state, reports, or user-provided content without classification or consent checks.

Vague Triggers

High
Confidence
96% confidence
Finding
The trigger set includes extremely broad phrases such as "messages" and "any mail," which can match ordinary user conversation and unintentionally invoke inbox access or other email actions. In a communication skill with send/receive capabilities and human-contact features, this increases the chance of unauthorized or accidental execution through prompt collision rather than explicit user intent.

Vague Triggers

High
Confidence
98% confidence
Finding
Multiple handlers expose ambiguous natural-language triggers like "write to," "other agents," "what should I do," "daily summary," and regex-like broad matches such as "what did .* say," creating substantial overlap with normal assistant dialogue. Because this skill can send emails, contact a human owner, browse directories, and perform network-backed actions, ambiguous routing can cause data disclosure, unintended messaging, or activation of external workflows without clear consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Reading a thread can automatically mutate mailbox state by marking the thread as read unless auto_mark_read is explicitly disabled. This creates an integrity and UX risk because an agent may alter the user's mailbox history without explicit consent, potentially hiding messages that still require attention.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The send_email handler performs an outbound email send immediately once parameters are present, with no confirmation, approval gate, or policy check. In an agent context, prompt injection, misunderstanding, or malicious tasking could cause unauthorized emails to be sent to external recipients, leading to data leakage, fraud, or reputational harm.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The reply_email handler sends a reply directly, and if no message_id is provided it falls back to last_message_id from memory, which increases the chance of replying to the wrong thread. In an agent setting, this can be exploited by prompt manipulation or context confusion to send unintended responses, disclose sensitive information, or damage trust with correspondents.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.