Security audit

Bingo Email

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real email-management skill, but it needs Review because it can send, forward, and permanently delete mailbox data with limited confirmation safeguards.

Install only if you are comfortable giving the skill an app password or mailbox authorization code. Review all recipients before allowing send, forward, or reply-all, and avoid the delete command unless you are prepared for possible permanent deletion despite the documentation describing a softer delete.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill documentation describes capabilities to read and write local config files, invoke shell commands such as pip/python, and make IMAP/SMTP network connections, but no explicit permission model is declared. In an agent setting, this under-specification is dangerous because it can cause the agent to perform sensitive filesystem and network actions without clear user consent boundaries, including handling mailbox credentials and sending email.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The skill description frames the tool as general email management, but the implementation includes a destructive delete capability that permanently removes messages. In an agent setting, a user or orchestrator may invoke the skill expecting non-destructive mailbox management, increasing the risk of unintended irreversible data loss.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The docstring says deletion moves mail to a deleted folder, but the code sets the \Deleted flag and immediately calls EXPUNGE, which permanently removes the message. This mismatch is dangerous because operators and upstream agents may rely on the softer documented behavior and trigger irreversible deletion under false assumptions.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger guidance is very broad, activating on generic terms like '邮箱', '收件箱', '回复', and '草稿箱', which are common in normal conversation. In an agent environment this can misroute unrelated user requests into a high-impact skill that reads mail, sends messages, or manipulates folders, increasing the chance of unintended actions on sensitive communications.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: Reply-all automatically includes recipients from the original To/Cc headers without any visibility gate or confirmation. In a delegated agent workflow, this can unintentionally disclose recipient relationships or send sensitive responses to a broader audience than the user intended.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: Forwarding sends the original message content to a new recipient immediately, with no preview or confirmation step. In agent-driven use, this creates a real confidentiality risk because sensitive email content can be retransmitted to an unintended third party through a single mistaken instruction or parameter.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The delete path performs permanent deletion without any confirmation prompt, undo window, or destructive-action warning. Because email is often high-value data and this tool is intended for agent use, a mistaken ID, prompt injection, or user misunderstanding can cause immediate irreversible loss.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal