Back to skill

Security audit

Imap Smtp Email.Manual Backup

Security checks across malware telemetry and agentic risk

Overview

The skill does what it says, but it gives an agent broad email access and sending ability with weak safeguards around secrets, confirmations, and attachment downloads.

Install only if you are comfortable giving the skill access to your mailbox and the ability to send email. Use app-specific passwords or least-privilege credentials, protect or avoid the .env file, confirm every send or mailbox-changing action yourself, avoid the broad trigger wording, and do not download attachments from untrusted senders until filename sanitization is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (15)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script explicitly loads IMAP credentials from environment variables and a local .env file, then uses them to authenticate to a mail server. In an agent skill with no stated business need or user disclosure, collecting mailbox credentials is highly sensitive because it enables access to private communications and can be repurposed for broader account abuse.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code connects to a remote IMAP server, opens the user's Gmail All Mail mailbox, and fetches message contents. Accessing All Mail is especially invasive because it exposes a broad corpus of user communications, and in this skill context there is no manifest-stated justification or minimization of scope.

Vague Triggers

High
Confidence
96% confidence
Finding
The skill explicitly says to use it for ANY request mentioning email, inbox, mail, messages, or unread, which is an overly broad trigger for a capability that can both read private communications and send outbound messages. This increases the chance of unintended activation on ambiguous prompts and can lead to unauthorized mailbox access, message disclosure, or message transmission without clear user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The description advertises commands that can send email and modify mailbox state, but it does not require any user warning or confirmation before those actions. In an agent setting, this can cause accidental outbound email, unintended read/unread state changes, or other mailbox modifications from misinterpreted requests.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script parses email bodies and prints message metadata plus text snippets to stdout as JSON. Emitting mailbox contents to standard output can leak sensitive data into logs, calling processes, consoles, or other components that capture output, creating an easy exfiltration path.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script connects to a remote IMAP server, enumerates the entire inbox, parses message bodies, and prints sender, subject, date, and a text snippet for every email. In an agent-skill context, that behavior can expose sensitive mailbox contents to logs, downstream tools, or an untrusted caller without any explicit consent gate, scope limitation, or data minimization.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script fetches email bodies, extracts text snippets, and prints them to stdout as JSON. That exposes potentially sensitive message content to terminal history, logs, calling processes, or other components without any consent, masking, or warning, which is especially risky in an agent skill context where output may be forwarded automatically.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Attachment filenames are written to disk using path.join(outputDir, attachment.filename) without sanitizing the attachment filename. A malicious email can supply filenames containing path traversal sequences or absolute paths, causing writes outside the intended directory and potentially overwriting user files.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The test command performs a real outbound email send rather than a non-delivery connectivity check, and it does so without explicit confirmation. In an agent/automation context, this can cause unintended message transmission, generate audit noise, leak that the account is active, or surprise users who expected a harmless health check.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script writes the supplied email username and password directly into a plaintext .env file on disk without setting restrictive permissions or clearly warning the user about secret persistence. On multi-user systems, in backups, shell workspaces, or accidental source-control commits, these credentials can be exposed and reused to access the mailbox and SMTP account.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Immediately after collecting credentials, the script uses them in outbound network connection tests without an explicit upfront notice that the secrets will be transmitted to external mail servers. This can surprise users and, in the custom-provider path, may send credentials to an attacker-controlled host if the operator enters an untrusted IMAP/SMTP endpoint.

Credential Access

High
Category
Privilege Escalation
Content
const Imap = require('imap');
const { simpleParser } = require('mailparser');
const path = require('path');
require('dotenv').config({ path: path.join(__dirname, '.env') });

const host = process.env.IMAP_HOST || 'imap.gmail.com';
const port = parseInt(process.env.IMAP_PORT || '993', 10);
Confidence
90% confidence
Finding
.env'

Credential Access

High
Category
Privilege Escalation
Content
const Imap = require('imap');
const { simpleParser } = require('mailparser');
const path = require('path');
require('dotenv').config({ path: path.join(__dirname, '.agents', 'skills', 'imap-smtp-email', '.env') });

const config = {
  user: process.env.IMAP_USER,
Confidence
87% confidence
Finding
.env'

Unpinned Dependencies

Low
Category
Supply Chain
Content
"imap": "^0.8.19",
    "imap-simple": "^5.1.0",
    "mailparser": "^3.9.3",
    "nodemailer": "^7.0.13"
  },
  "keywords": [
    "imap",
Confidence
98% confidence
Finding
"nodemailer": "^7.0.13"

Known Vulnerable Dependency: nodemailer==7.0.13 — 6 advisory(ies): GHSA-268h-hp4c-crq3 (Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitrary); GHSA-c7w3-x93f-qmm8 (Nodemailer has SMTP command injection due to unsanitized `envelope.size` paramet); GHSA-p6gq-j5cr-w38f (Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAccess) +3 more

High
Category
Supply Chain
Confidence
99% confidence
Finding
nodemailer==7.0.13

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
fetch_allmail.js:7

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
fetch_emails.js:7

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/check_emails.js:7

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/imap.js:23