Back to skill

Security audit

read-no-evil-mcp

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent email-management software, but it deserves review because it can let an agent send, move, and delete email without clear per-action confirmation guidance.

Review before installing if you plan to grant write access to real mailboxes. Prefer read-only accounts and restricted folders unless sending, moving, or deleting is truly needed, and require explicit user approval before any outbound email or mailbox-changing action. Treat the .env password file and Docker container environment as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill exposes capabilities to write files, invoke shell commands, use environment variables, contact network services, and interact with an MCP server, but it does not declare those permissions up front. That creates a trust and review gap: an agent or user may approve the skill for email access while not realizing it can also modify local configuration, launch Docker, and communicate with arbitrary server URLs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a secure email access layer, but the documented behavior extends into local system administration: creating and overwriting config files, generating .env files, managing accounts, and pulling/running Docker containers. This mismatch is dangerous because users may consent to a mail-reading skill without understanding it can change persistent local state and execute broader operational actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents destructive email actions like move and delete without requiring an explicit confirmation step. In an agent setting, that can lead to accidental or prompt-induced mailbox modification or data loss, especially because email content itself may try to manipulate the agent into taking actions.

Credential Access

High
Category
Privilege Escalation
Content
echo "Pulling $IMAGE ..."
docker pull "$IMAGE"

# --- Load credentials from .env ---
env_args=()
while IFS= read -r line || [ -n "$line" ]; do
    line="${line%%#*}"  # strip comments
Confidence
84% confidence
Finding
.env

Session Persistence

Medium
Category
Rogue Agent
Content
**Do NOT** run `setup-config.py show` — it displays config details the user may not intend to share with the agent. If debugging is needed, tell the user to run it themselves.

**Do NOT** run `setup-config.py create --force` if config already exists without asking the user first.

## Config Commands
Confidence
62% confidence
Finding
create --force` if config already exists without asking the user first. ## Config Commands Manage the server config file (`~/.config/read-no-evil-mcp/config.yaml`). No pip install required — stdlib

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.