Email Sender (繁體中文版)

Security checks across malware telemetry and agentic risk

Overview

This is a real email-sending skill, but it needs Review because it can send external email and attachments using stored credentials and has unsafe template/file handling.

Install only if you explicitly want an agent to send real email. Use a dedicated low-risk SMTP account or app password, remove the bundled Gmail profile, verify every recipient, body, and attachment before sending, avoid the welcome password template, and do not use untrusted template names until path validation is fixed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The template explicitly includes an initial password in plaintext email content, which is insecure because email is commonly stored, forwarded, logged, and accessible from multiple devices or mailbox compromises. Sending credentials this way increases the chance of account takeover if the message is intercepted or the recipient mailbox is later accessed by an unauthorized party.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: This template enables distribution of live account credentials, which expands the skill from generic email delivery into handling highly sensitive secrets. In the context of an email/template tool, that is dangerous because it normalizes insecure credential transport and may be reused broadly across onboarding flows.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill accesses the host macOS Keychain to retrieve SMTP credentials, which is a privileged host credential-store capability. In an agent skill context, this is sensitive because a reusable function can silently pull credentials from the local machine and use them for outbound actions without an explicit trust boundary or narrowly scoped authorization flow.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: `delete_template()` builds file paths by directly concatenating `template_name` into `os.path.join(TEMPLATES_DIR, f"{template_name}.html")` and `.txt` without validating or normalizing the name. An attacker can supply traversal sequences such as `../../../target` so the resolved path escapes the templates directory, allowing deletion of arbitrary `.html` or `.txt` files that the process can access.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: `create_template()` writes to a path derived from unsanitized `template_name`, so a crafted name containing `../` can escape `TEMPLATES_DIR` and create or overwrite files elsewhere with `.html` or `.txt` suffixes. In an agent skill context, this is especially dangerous because other components may pass user-controlled template names, turning this into arbitrary file write within the agent's filesystem permissions.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: `load_template()` resolves `template_name` directly into filesystem paths and then reads the chosen file, so traversal like `../../secret` can cause reads outside the template store for matching `.html` or `.txt` files. While constrained to those extensions, this still enables unauthorized disclosure of accessible files and may expose credentials, configs, or sensitive HTML/text data used elsewhere by the agent.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README actively promotes sending emails, attachments, and batch messages but does not clearly warn users that recipient addresses, message bodies, and attached files will be transmitted to external mail servers and third parties. In an agent skill context, this omission can lead to unintentional exfiltration of sensitive workspace data or personal information because the functionality is expressly designed for outbound communication.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The template presents a password directly to the recipient without any warning, guidance, or protective handling, which encourages unsafe behavior such as retaining the email as a password record. Even with a prompt to change the password quickly, the exposure already occurred once the secret was sent in plaintext.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The reusable `send_email` function retrieves credentials from Keychain and transmits email immediately with no user-facing confirmation, audit prompt, or policy check. In an agent setting, this materially increases the risk of silent exfiltration, spam, or impersonation because another component can call the function non-interactively and send arbitrary content and attachments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal