A safer e-mail assistant

Security checks across malware telemetry and agentic risk

Overview

This email assistant handles sensitive mailbox data, but its access, local state, and draft-only behavior are disclosed and fit its stated purpose.

Install only if you trust the configured self-hosted email gateway and are comfortable exposing selected mailbox content to the agent session. Use a scoped API key, restrict ACCOUNT_ID or ACCOUNT_IDS to intended mailboxes, keep logs private, and review all created drafts before sending them manually.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill clearly uses sensitive capabilities—environment variables for credentials, network access to a mailbox gateway, and local file read/write for persistent state—but does not declare permissions. This undermines informed consent and review, because users may not realize the skill can access mailbox data and write local tracking files, increasing the risk of over-broad data access or unintended persistence.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 84% confidence
Finding: The stated description emphasizes safe email assistance and draft creation, but the documented behavior also includes persistent tracking of seen message IDs, multi-account polling, and retrieval/analysis of incoming message content. That mismatch can cause users to grant the skill access under incomplete assumptions, which is especially sensitive in an email context where historical correspondence and mailbox metadata may be processed across accounts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal