Back to skill

Security audit

Near Email Reporter

Security checks across malware telemetry and agentic risk

Overview

This skill appears aligned with NEAR email reporting, but users should handle the SMTP password carefully because it is entered on the command line and saved locally.

Use an app-specific SMTP password rather than your primary email password. Avoid running setup on shared machines, consider clearing shell history after using --pass, verify ~/.near-email/config.json permissions, and test manually before relying on alerts or scheduled reports because those features are not fully implemented in the included script.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly states that email configuration is stored in `~/.near-email/config.json` and earlier demonstrates passing an SMTP username and password on the command line, but it does not warn users that these are sensitive secrets that must be protected. In the context of an email-reporting skill, credential exposure could let an attacker access the mailbox or abuse the SMTP account for phishing, spam, or account recovery attacks.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation instructs users to pass SMTP credentials on the command line and store them in a local config file, but it does not clearly warn that command-line secrets may be exposed through shell history, process listings, logs, or terminal recording. Storing credentials locally without explicit guidance on encryption, file permissions, and secret-handling practices increases the risk of credential disclosure and subsequent unauthorized email account access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
SMTP credentials are accepted as command-line arguments, which are commonly exposed via shell history, process listings, audit logs, and orchestration tooling. The password is then stored in plaintext JSON on disk; while mode 0600 helps, local compromise, backups, or accidental file disclosure can still reveal reusable email credentials.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.