Back to skill

Security audit

Email Mail Master Rose

Security checks across malware telemetry and agentic risk

Overview

This email assistant does useful mail tasks, but it ships plaintext mailbox authorization codes and can permanently delete mail without built-in confirmation.

Review before installing. Remove the bundled mailbox credentials, rotate any exposed authorization codes, configure only your own mailbox through a protected local secret mechanism, and require explicit confirmation before sending attachments or deleting mail, especially POP3 or permanent-delete operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest omits deletion capability even though the skill documentation supports both recoverable and permanent mail deletion. Hidden destructive functionality is dangerous because users and calling agents may not realize the skill can remove messages, increasing the chance of accidental or unauthorized destructive actions.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill description says it sends, receives, and checks email, but the implementation also supports deleting single and multiple messages. This capability expansion is dangerous because an agent or user may invoke destructive actions that were not disclosed in the manifest, violating least surprise and increasing the risk of unauthorized data loss.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The docstring states that non-permanent deletion moves mail to a recoverable deleted folder, but the code only sets the IMAP \Deleted flag in the currently selected mailbox. That mismatch can mislead users and higher-level agents into believing deletion is safely reversible when server behavior may differ, causing unintended permanent or hard-to-recover loss.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The batch delete method repeats the same unsafe mismatch: it claims messages are moved to a recoverable deleted folder, but only marks them with the IMAP \Deleted flag. In bulk operations, this discrepancy is more dangerous because many messages can be affected at once under a false assumption of reversibility.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata says it should send, receive, and check new mail, but the code exposes a delete command, including irreversible permanent deletion. This hidden capability expands the tool's authority beyond the declared user expectation, increasing the risk of destructive actions, accidental data loss, or misuse by an agent that selects the skill based on the narrower manifest description.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The CLI help and examples describe a broader mail management tool than the manifest advertises, including deletion operations and permanent deletion workflows. This mismatch is dangerous because security review, permission scoping, and agent/user trust may rely on the manifest, while the actual tool supports more powerful and destructive behaviors.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The invocation guidance is broad enough to match many generic email-related requests without clear boundaries or safety conditions. In an agent environment, overly broad routing can cause the skill to be selected for sensitive tasks involving mailbox access, message transmission, or destructive actions when a narrower, safer tool should have been used.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The instructions tell users to store email authorization codes in a local config file but do not warn that these are sensitive secrets. This increases the risk of credential exposure through insecure file permissions, accidental check-in to source control, backups, or other local file access by tools and users.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The send_email method can transmit arbitrary message content and attach arbitrary local files from paths provided to the function, yet there is no built-in consent, confirmation, or allowlist control around exfiltrating local data. In an agent context, this is particularly risky because a prompt or tool chain could cause sensitive local files to be emailed externally without the user understanding what is being sent.

Missing User Warnings

High
Confidence
96% confidence
Finding
The POP3 delete operation permanently deletes mail immediately and the method ignores the permanent parameter, providing no safeguard at the point of execution. In an email assistant skill, destructive actions on user mailboxes are highly sensitive; lack of an explicit confirmation barrier can cause irreversible data loss from a mistaken or manipulated command.

Missing User Warnings

High
Confidence
97% confidence
Finding
The batch POP3 deletion method permanently removes multiple emails without any confirmation, preview, or count-based safety check. Because the operation is irreversible and affects many messages at once, a single bad instruction can cause large-scale mailbox loss.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.