Writing and reading

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed MoltMail/EtherMail email-and-wallet integration, but users should treat setup and account use as sensitive.

Install only if you intend to use MoltMail/EtherMail for a wallet-backed inbox. Prefer creating a dedicated wallet instead of importing a valuable existing wallet, keep the passphrase private, protect the ./state directory, and confirm before sending emails or reading messages that will be marked as read.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The example triggers include very generic requests such as creating an email account or temp email, which can cause the skill to activate for broad everyday intents. Because this skill can initiate setup flows, request passphrases, create wallet-backed identities, and contact a remote service, overbroad activation increases the risk of unintended invocation and sensitive-action prompting in contexts where the user did not specifically request this provider.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The 'When to Use This Skill' section is ambiguous and includes broad categories like creating a disposable email, testing email sending, and privacy-focused messaging. In context, this is more dangerous than a normal email helper because the skill provisions a remote identity tied to wallet material and stored tokens; vague activation criteria can steer unrelated user requests into a high-trust workflow involving secrets and external accounts.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code stores a bearer authentication token in a predictable local path on disk in plaintext JSON. Even with restrictive file mode on write, local compromise, backup leakage, symlink/path abuse, or subsequent permissive reads can expose the token and allow account takeover or unauthorized mailbox access until expiry.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script performs a state-changing action immediately after a read operation by calling markEmailAsRead whenever content is fetched. In an agent context, this can silently alter mailbox state, interfere with auditability or workflow logic, and cause important messages to appear processed even when a human or downstream agent has not explicitly acknowledged them.

Known Vulnerable Dependency: axios==1.13.4 — 10 advisory(ies): CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF); CVE-2026-42044 (Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `pars); CVE-2026-25639 (Axios is Vulnerable to Denial of Service via proto Key in mergeConfig) +7 more

High

Category: Supply Chain
Confidence: 95% confidence
Finding: axios==1.13.4

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal