发送邮件

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it can automatically email local financial report files and exposes SMTP credentials, so it needs review before installation.

Install only if you intend this exact automated daily financial-report workflow, trust the fixed recipient and sender account, and can rotate/remove the exposed SMTP authorization code. Before use, verify the config.py values, restrict the attachment directory, and require explicit confirmation before any email is sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill documentation describes reading local files such as `market_data.json` and scanning `E:\daily\{date}\` for attachments, but the skill metadata does not declare corresponding file-read permissions. This creates a transparency and policy-enforcement gap: users or reviewers may believe the skill only sends email, while it also accesses local data and documents.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The skill is presented as a general email-sending capability, but the documented behavior is a specialized automated exfiltration workflow: it reads local market data, discovers local report files, and sends them to a fixed external recipient using preconfigured credentials. This mismatch increases the risk of users invoking the skill without understanding that sensitive local business data and attachments will be automatically collected and transmitted.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The documentation exposes live-looking SMTP credentials, including server details, sender identity, and an authorization code. Hard-coded secrets in skill files can be reused by unauthorized parties to send email, impersonate the account, or pivot into related systems, and they are especially dangerous because this skill already performs outbound transmission.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger phrases such as '发送邮件', '发送报告', and '发送日报' are broad and likely to overlap with normal conversation. In the context of a skill that automatically reads local files and sends email to a fixed recipient, accidental triggering could cause unintended disclosure of reports or market data without sufficient user intent verification.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal