Qqmail 1.0.0

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal email-integration skill, but users should treat sends and attachments as real external email delivery.

Install only if you trust the email provider and are comfortable with the agent sending real emails through it. Review recipients, message text, and every attachment before sending, especially for customer data, credentials, private files, or regulated information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill supports sending emails and attachments to external recipients but does not prominently warn that user-provided message bodies and attached local files will leave the system and be transmitted off-platform. Without explicit disclosure and confirmation, users may unintentionally exfiltrate sensitive content or files through normal-looking skill operations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal