Back to skill

Security audit

126 邮箱管理 Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real 126.com email-management skill, but it gives agents broad mailbox access with weak credential storage and limited safeguards around sending, downloads, and permanent deletion.

Install only if you are comfortable giving the agent continuing access to read, send, reply, forward, move, download, and permanently delete mail from the configured 126.com account. Use an app-specific authorization code, protect or remove ~/mail126_data/config.json when not needed, avoid scheduled or cross-skill use unless tightly controlled, and manually confirm destructive mail operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly describes capabilities that read and write local files and perform network operations, but the manifest does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: downstream systems or reviewers may underestimate the skill’s reach, and the skill can be invoked in contexts that did not explicitly approve mailbox access, attachment writes, or outbound email/network use.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger set includes very broad everyday terms such as “邮件”, “邮箱”, “mail”, and “inbox”, which increases the chance of unintended activation. In this skill’s context, accidental invocation is more dangerous than usual because the skill can access sensitive mailbox contents, send emails, delete messages, and download attachments, potentially causing privacy breaches or unwanted actions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation guidance allows use whenever another skill or a scheduled task needs to send/receive email, without clear scoping, authorization boundaries, or confirmation requirements. That ambiguity can let loosely related automations trigger mailbox operations on behalf of a user, increasing the risk of unintended data access or outbound messaging.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill exposes destructive operations like email deletion and message moves without any warning, soft-delete guidance, or confirmation step. In a mailbox-management context, accidental or automated misuse can permanently remove important communications or alter message state, causing data loss and operational disruption.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation explicitly specifies a local config file containing the email address and a Base64-encoded auth code, and also documents attachment download paths, but provides no warning that these are sensitive secrets and files. Base64 is not protection, so readers may incorrectly treat the auth code as safely stored, increasing the risk of credential disclosure, unsafe file permissions, or attachment leakage when other skills or automation interact with these paths.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill stores mailbox credentials locally in a JSON config and only base64-encodes the auth code, which is not encryption and offers no real protection against local access. In a mail-management skill, these credentials grant broad mailbox access, so compromise of the file can expose email contents and allow message sending or destructive mailbox actions.

Missing User Warnings

High
Confidence
95% confidence
Finding
The delete command immediately sets the \Deleted flag and expunges the message without any confirmation, undo path, or safer trash-first behavior. In an agent-accessible mail skill that other skills and scheduled tasks can invoke, this increases the risk of accidental or unauthorized irreversible destruction of user mail.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.