Back to skill

Security audit

Sog

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate mail, calendar, contacts, tasks, and files CLI, but it needs review because it can affect sensitive account data and includes weakly guarded automation, deletion, credential, and insecure-transport paths.

Review before installing. Use only accounts you trust this CLI to manage, prefer TLS/HTTPS with certificate validation, avoid --insecure and --no-tls outside isolated testing, avoid passing passwords directly on the command line, and do not use idle --exec unless you fully trust the exact command and understand that incoming mail can trigger it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documents capabilities that can access environment variables, write files, and communicate over the network, but it does not declare corresponding permissions. That mismatch weakens reviewability and consent because an agent may invoke a mail/calendar/file-sync tool with broader real-world effects than the skill metadata suggests.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill exposes destructive operations such as deleting mail, folders, contacts, tasks, and remote files without prominently warning about irreversible data loss or server-side side effects. In an agent context, especially with flags like --force and --no-input, this increases the chance of accidental bulk deletion or unsafe automation.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The authentication commands accept passwords and describe storage in the keychain, but they do not warn users about secret handling risks such as shell history exposure when secrets are passed on the command line. This can lead to credential leakage even if storage at rest is secure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The account removal command performs a destructive action immediately after loading configuration, and the code explicitly notes that a confirmation prompt is still TODO. In a CLI that manages real user accounts and stored credentials, accidental invocation or scripting mistakes can delete account configuration without any user verification, causing loss of access setup and possible credential cleanup.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The delete command performs a destructive IMAP folder deletion immediately and the code explicitly notes that a confirmation prompt is still TODO. In a CLI that manages real mail accounts, an accidental invocation, typo, or automation mistake can permanently remove or disrupt mailbox folders, causing data loss or service impact.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The `Exec` option enables arbitrary shell execution on every new-mail event, yet the help text does not clearly communicate that this is full local code execution with shell semantics. In a mail-watching workflow, users may enable it for convenience and later trigger repeated command execution from remotely induced mail arrivals, increasing the chance of unsafe automation or privilege misuse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
When StorageFile is selected, passwords are serialized into credentials.json in plaintext. Although the file is created with 0600 permissions, local compromise, backups, sync tools, or accidental file disclosure would expose reusable credentials, and the operation site provides no warning that a less secure backend is being used.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The code silently falls back to reading credentials from an environment variable when primary storage lookup fails. Environment variables are often exposed through process inspection, crash dumps, CI logs, shell history or inherited child processes, so using them for long-lived passwords without clear disclosure increases secret exposure risk.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
Protocol-specific password retrieval also silently accepts secrets from environment variables, creating the same exposure risks as the generic fallback while broadening the number of secret names that may exist in the environment. This makes accidental leakage and operational misconfiguration more likely.

Missing User Warnings

High
Confidence
98% confidence
Finding
When cfg.NoTLS is enabled, the client uses a plaintext IMAP connection and then performs LOGIN with the email address and password. This exposes credentials and mailbox data to interception by any attacker on the network path, which is especially dangerous for an email client handling sensitive communications.

Missing User Warnings

High
Confidence
97% confidence
Finding
The non-TLS fallback path also uses DialInsecure, meaning credentials may be sent over an unencrypted channel whenever TLS is not explicitly enabled. In the context of an IMAP client, this materially increases the risk of credential theft and mailbox compromise due to misconfiguration or unsafe defaults.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Allowing InsecureSkipVerify disables server certificate validation, enabling man-in-the-middle attacks even though the session appears to use TLS. An attacker can impersonate the IMAP server, capture credentials, and read or modify mailbox contents.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.