AgentMail Integration

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate AgentMail automation skill, but it needs review because it can send/manage email and save untrusted attachments to local files without enough guardrails.

Install only if you are comfortable giving it an AgentMail API key that can send email, manage inboxes, and register webhooks. Avoid downloading or automatically processing attachments from untrusted senders until filenames are sanitized and files are scanned. Use sender allowlists, human approval for outbound replies or forwarding, trusted webhook endpoints, and avoid logging message bodies in shared environments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The example introduces a Slack integration that forwards email-derived content to a third-party service, which expands the data flow beyond the stated AgentMail-focused purpose. Even as sample code, this can normalize exfiltration of potentially sensitive email content without clear consent, minimization, or boundary warnings.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: This pattern explicitly demonstrates distributing outbound email across multiple inboxes 'for better deliverability' and includes bulk-recipient sending logic. In an agent email automation skill, that materially lowers friction for mass-mail campaigns and can be repurposed for spam, evasion of provider reputation controls, or phishing at scale.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The activation text is overly broad and can cause the skill to be selected for many generic email tasks without clear safety boundaries. In a skill that can send external emails, create/delete inboxes, and set up webhooks, vague triggering increases the chance of unintended data disclosure or destructive actions being performed in the wrong context.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill includes operations that transmit data externally, process potentially sensitive email content, download attachments, register webhooks, and delete inboxes, yet it does not provide a clear up-front warning about privacy, external sharing, retention, or destructive effects. This is dangerous because users may unknowingly authorize actions that expose personal or confidential data or irreversibly remove resources.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code forwards sender, subject, inbox identifier, and body text excerpts to Slack without any user-facing disclosure that email contents are being sent outside the email system. This is dangerous because users may treat examples as safe defaults, leading to unintended disclosure of sensitive or regulated information to a separate platform.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The attachment pipeline automatically downloads, saves, and processes untrusted email attachments, including importing CSV data into a database, without any validation, sandboxing, or approval step. Email attachments are a common malware and malicious-input vector, so this pattern can lead to code execution in downstream parsers, data poisoning, or unsafe ingestion of attacker-controlled content.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The digest example forwards message subjects, senders, and body previews to another recipient without any privacy notice, minimization, or access-control context. That can expose sensitive or personal email content to unintended parties and normalize silent secondary use of collected communications.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The auto-responder sends autonomous outbound replies to all incoming emails with no visible disclosure, approval gate, recipient restrictions, or abuse controls. This can cause unintended commitments, information leakage, mail loops, or convincing automated responses to malicious senders attempting prompt injection or social engineering through email content.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The watch mode prints sender, subject, date, and up to 500 characters of message text directly to stdout. Email contents commonly contain secrets, personal data, links, and internal business information, and stdout is often captured by terminals, logs, CI systems, or shared agent traces, so this creates an unnecessary data exposure path.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The recent command fetches inbox messages and prints preview text to stdout without an explicit disclosure or minimization of sensitive content. Even short previews can expose confidential information, authentication links, personal data, or message context to logs and other observers of the execution environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal