Back to skill

Security audit

Emailbox

Security checks across malware telemetry and agentic risk

Overview

This email skill appears purpose-built, but it handles powerful mailbox credentials and keeps scheduled email content on disk in ways users should review carefully.

Install only if you are comfortable giving the skill mailbox read/send capability. Prefer a dedicated email account or revocable app password, avoid the plaintext credentials-file option, keep secrets out of shell history and logs, secure or regularly delete ~/.emailbox, and review scheduled queue files because they can contain full email contents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill exposes sensitive capabilities including environment access, file read/write, shell execution, and network communication, but does not declare permissions. For an email client skill, these capabilities are expected, yet the lack of explicit permission declaration weakens transparency and reviewability and can cause users or orchestrators to grant broader access than they realize.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The document says credentials should never be stored in plaintext files, but then provides instructions to create and source a plaintext credentials file. Even with chmod 600, plaintext secrets at rest are vulnerable to local compromise, backups, accidental inclusion in logs or repos, and sourcing can expose them to subprocesses.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The privacy guidance claims credentials should only be stored in environment variables and not plaintext files, directly contradicting earlier setup steps that instruct users to create a plaintext credentials file. This inconsistency can mislead users into insecure handling of mailbox authorization codes, increasing the chance of credential exposure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly tells users to place email authorization codes and app passwords in environment variables, but it provides no warning that these values are secrets that can be exposed through shell history, process listings, crash logs, CI/CD output, shared terminal sessions, or inherited subprocess environments. In an email automation skill, these credentials can grant direct access to mailbox contents and sending capability, enabling account compromise, phishing, data exfiltration, and impersonation if leaked.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script persists full scheduled email contents and metadata, including recipients, subject, body, HTML, and attachments list, into plaintext JSON files under the user's home directory. In an email-processing skill, that can expose sensitive business or personal communications to other local users, backups, forensic tools, or malware, especially because the user is not clearly warned that message data will remain on disk until manually cleaned up.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
When processing queued mail, the script creates additional plaintext body and HTML files alongside the queue entry, creating extra on-disk copies of potentially sensitive email content. Those files are not removed after use and are not disclosed to the user, increasing the exposure window and likelihood of unintended local data leakage.

Session Persistence

Medium
Category
Rogue Agent
Content
# Windows: Use Windows Credential Manager

# Option C: Restricted file (if persistent config is required)
# Create a file with restricted permissions that only you can read:
mkdir -p ~/.emailbox && touch ~/.emailbox/credentials
chmod 600 ~/.emailbox/credentials
# Then add your credentials:
Confidence
94% confidence
Finding
Create a file with restricted permissions that only you can read: mkdir -p ~/.emailbox && touch ~/.emailbox/credentials chmod 600 ~/.emailbox/credentials # Then add your credentials: # EMAIL_ADDRESS=y

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/providers.md:133