Email Send Receive Tool

Security checks across malware telemetry and agentic risk

Overview

This email skill appears purpose-built for IMAP/SMTP mail access, but it automatically retrieves and stores mailbox credentials with too little user control for a high-impact account capability.

Install only if you are comfortable granting this skill full personal mailbox access and allowing it to contact the configured credential service, refresh credentials automatically, and store mailbox secrets in a local .env file. Prefer using it with a dedicated app password, a specifically selected account/provider, certificate validation enabled, and narrow attachment read/write directories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill clearly instructs the agent to execute shell commands, access environment configuration, and use networked credential retrieval, yet the manifest declares no permissions. This creates a transparency and consent gap: an agent or reviewer cannot accurately understand the skill’s effective capabilities before use, increasing the risk of unintended secret access, outbound connections, and local state changes.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill mandates running a local credential-fetch script as the very first step and states that it will automatically retrieve secrets from a credential service and write them into `.env`. That broadens the skill from email operations into credential acquisition and persistent local secret storage, which is sensitive because it can alter the host environment and expose credentials to other local processes, logs, backups, or future tasks.

Intent-Code Divergence

Medium

Confidence: 87% confidence
Finding: The documentation tells the agent not to read or modify `.env`, while also requiring execution of scripts that do modify `.env`. This contradiction undermines operator understanding and auditability, making it easier for hidden configuration changes to occur without clear review or informed consent.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script explicitly allows users to disable certificate validation by setting REJECT_UNAUTHORIZED=false. In an email skill that handles mailbox credentials and message contents, this enables man-in-the-middle interception of IMAP/SMTP sessions against hostile networks or malicious servers using self-signed certificates.

Intent-Code Divergence

Low

Confidence: 82% confidence
Finding: The script labels the directory variables as a 'security' file access whitelist, but it only writes user-provided values into .env and does not itself enforce any restriction. This can mislead operators into believing file reads and attachment writes are constrained when actual enforcement depends entirely on downstream code.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The top-level skill description does not warn that loading or using the skill causes automatic credential fetching and `.env` updates before any other action. This is dangerous because users may invoke what appears to be a normal email skill without realizing it will contact a credential service and persist secrets locally.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The skill supports downloading email attachments to the local filesystem, but the description does not clearly warn users that remote content will be written to disk. Attachment download is a meaningful file-write capability and can introduce privacy, storage, and malware-handling risks if users are not informed.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script writes raw IMAP/SMTP credentials and mailbox access tokens into a local .env file immediately after receiving them, with no interactive confirmation, explicit disclosure, or safer secret-storage mechanism. In a skill whose purpose is full personal email access, silently persisting these secrets increases the chance of unintended credential exposure through local file reads, backups, logs, or later exfiltration by other components.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: This code sends a platform identifier to a local proxy which forwards the request to a remote credential service and retrieves mailbox authorization data, but the action is not surfaced to the user at runtime. Even though only the platform value is sent in the request body, the flow results in remote retrieval of sensitive mailbox credentials, which is a privacy- and consent-sensitive operation.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The automatic traversal mode iterates across multiple email platforms, contacting the credential service repeatedly until any valid mailbox credential is returned, then writes it locally. In the context of a personal-email skill, this broad probing behavior is more dangerous than a single targeted lookup because it can enumerate and activate access across several providers without prior user confirmation.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script stores the email password or app password directly in a local .env file, creating a durable plaintext secret on disk. Even with chmod 600, the secret may be exposed through backups, accidental commits, shell history around related operations, endpoint compromise, or misuse by other local processes running as the same user.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal