Mail Mate

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it reads filtered IMAP email, extracts fields, and can optionally push results or run on a schedule, but users must handle mailbox credentials and pushed email content carefully.

Install only if you are comfortable giving the skill an email app password or authorization code. Use a dedicated or least-privilege mailbox where possible, keep filters narrow, reduce preview_length for sensitive mail, enable DingTalk/Feishu/Telegram push only to trusted destinations, and remove the crontab entry plus the generated .env file when scheduled processing is no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (9)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README instructs users to export email account identifiers and authorization secrets as environment variables and later describes persisting all `SKILL_*` values into a local `.env` file. Even with mode 600, this encourages storage of live credentials on disk and in shell history/process environments without clearly warning about exposure through backups, logs, shared accounts, or misconfigured file permissions.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README promotes pushing parsed email content and `extracted_data` to DingTalk, Feishu, and Telegram but does not warn that email-derived data may contain sensitive or regulated information. This can cause unintended exfiltration of mailbox contents to third-party messaging platforms, especially when used by agents that process alerts, reports, or personal data automatically.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This code ingests sensitive credentials and account information from environment variables or stdin and immediately uses them for mailbox access, but this file provides no disclosure, consent prompt, or minimization controls. In an agent-skill context, silently consuming secrets supplied by the runtime increases the risk of covert credential use and makes misuse harder for operators to detect.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill can forward retrieved email content to an arbitrary webhook when push_platform is set, creating an exfiltration path for potentially sensitive mailbox data. Because this file shows no allowlist, confirmation step, or destination validation, a malicious or misconfigured caller could send private emails to an attacker-controlled endpoint.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script writes sensitive secrets such as SKILL_AUTH_PASSWORD and webhook-related credentials into a persistent .env file on disk so cron can source them later. Persisting credentials expands their exposure window, creates a recoverable secret store in the skill directory, and may unintentionally leak secrets via backups, filesystem access, or operational handling.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly promotes pushing extracted email data to third-party messaging platforms and even states that Markdown messages will include extracted_data for visibility. Because mailbox contents commonly contain sensitive operational, personal, or business information, this creates a real confidentiality risk if users enable push without understanding the data-sharing implications.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The cron setup instructs users to export mailbox credentials and webhook secrets as environment variables without warning about exposure through shell history, process inspection, inherited environments, or long-lived system configuration. This can lead to credential disclosure and persistent secret leakage on multi-user or monitored systems.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The documentation semantically instructs disclosure of mailbox-derived data by sending extracted fields and previews to external chat platforms. In the context of an IMAP-processing skill, that is more dangerous because the source data is email content, which often includes credentials, alerts, internal identifiers, customer data, or incident details.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The advanced workflow instructs the agent to read mailbox contents, aggregate extracted data, and publish subject and timestamp details. Even if intended for monitoring, this still operationalizes exfiltration of mailbox-derived metadata and potentially sensitive business signals into downstream outputs or chats.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal