Back to skill

Security audit

Imap Smtp Email

Security checks across malware telemetry and agentic risk

Overview

This is a real email-access skill, but it asks for broad always-on mailbox authority and stores/sends with credentials in ways users should review carefully.

Install only if you are comfortable giving this skill ongoing access to read and send mail for the configured account. Use an app-specific password, restrict the .env file to the current user, avoid self-signed certificate mode unless you fully trust the server, review every send/download/mark-read action before running it, and update or replace vulnerable dependencies before using it with important mailboxes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger guidance is excessively broad: it instructs use of the skill for ANY request mentioning email, inbox, mail, messages, or unread, which can cause the agent to invoke a credentialed mailbox-reading and email-sending tool for incidental or ambiguous user prompts. In this context, unintended invocation is especially dangerous because the skill can access mailbox contents, attachments, and send outbound messages, increasing the risk of privacy breaches or unauthorized actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill description does not prominently warn that the tool can read mailbox contents, fetch full emails, download attachments, mark messages read/unread, and send email on the user's behalf. Without an upfront capability warning, an agent or operator may invoke it without appreciating the sensitivity of the data and the side effects, which raises the risk of accidental data exposure or unauthorized outbound communication.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script fetches messages from Gmail 'All Mail', parses them, and prints sender, subject, date, and a body snippet to stdout without any consent prompt, masking, or warning. In an agent-skill context, this enables bulk exposure of private email content to logs, calling processes, or downstream tools, which is a real confidentiality risk even though the code only retrieves the last five messages.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script connects to a mailbox, fetches all messages from the inbox, parses them, and prints sender, subject, date, and a text snippet to stdout as JSON. In an agent/skill context, this can expose sensitive email contents to logs, downstream tools, or users without any confirmation, minimization, or access-control checks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script fetches recent emails and prints sender, recipient, subject, date, and a body snippet directly to stdout. In an agent-skill context, stdout is often surfaced to users, logs, orchestration systems, or other tools, so this can disclose sensitive email content without access controls or explicit consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Attachment filenames from untrusted email content are written directly to disk via path.join(outputDir, attachment.filename) without sanitization. A malicious sender could supply traversal-style names such as ../../target or absolute-path-like names, causing files to be written outside the intended directory and potentially overwriting local files.

Missing User Warnings

Medium
Confidence
67% confidence
Finding
The test command performs a real outbound email send rather than a non-delivery connectivity check only. This can cause unintended network transmission and leakage of operational metadata to the configured mailbox, which is more sensitive because users may assume 'test' is non-invasive.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script writes the supplied email address and password/app password directly into a local .env file in plaintext. This is dangerous because credentials may be exposed through local compromise, backups, shell-user sharing, accidental commits, or overly permissive file permissions, and the script does not warn users or restrict access to the file.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script immediately tests IMAP and SMTP using the provided credentials, which transmits those secrets to remote servers, yet it does not explicitly warn the user that network authentication will occur. This becomes more concerning because the script can be configured to accept self-signed certificates, increasing the risk of credential exposure to a man-in-the-middle in misconfigured or hostile environments.

Credential Access

High
Category
Privilege Escalation
Content
#!/usr/bin/env node
const Imap = require('imap');
const path = require('path');
require('dotenv').config({ path: path.join(__dirname, '.env') });

const host = process.env.IMAP_HOST || 'imap.gmail.com';
const port = parseInt(process.env.IMAP_PORT || '993', 10);
Confidence
85% confidence
Finding
.env'

Credential Access

High
Category
Privilege Escalation
Content
const Imap = require('imap');
const { simpleParser } = require('mailparser');
const path = require('path');
require('dotenv').config({ path: path.join(__dirname, '.agents', 'skills', 'imap-smtp-email', '.env') });

const config = {
  user: process.env.IMAP_USER,
Confidence
88% confidence
Finding
.env'

Unpinned Dependencies

Low
Category
Supply Chain
Content
"search": "node scripts/imap.js search"
  },
  "dependencies": {
    "dotenv": "^16.6.1",
    "imap": "^0.8.19",
    "imap-simple": "^5.1.0",
    "mailparser": "^3.9.3",
Confidence
94% confidence
Finding
"dotenv": "^16.6.1"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "dotenv": "^16.6.1",
    "imap": "^0.8.19",
    "imap-simple": "^5.1.0",
    "mailparser": "^3.9.3",
    "nodemailer": "^7.0.13"
Confidence
94% confidence
Finding
"imap": "^0.8.19"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "dotenv": "^16.6.1",
    "imap": "^0.8.19",
    "imap-simple": "^5.1.0",
    "mailparser": "^3.9.3",
    "nodemailer": "^7.0.13"
  },
Confidence
94% confidence
Finding
"imap-simple": "^5.1.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dotenv": "^16.6.1",
    "imap": "^0.8.19",
    "imap-simple": "^5.1.0",
    "mailparser": "^3.9.3",
    "nodemailer": "^7.0.13"
  },
  "keywords": [
Confidence
94% confidence
Finding
"mailparser": "^3.9.3"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"imap": "^0.8.19",
    "imap-simple": "^5.1.0",
    "mailparser": "^3.9.3",
    "nodemailer": "^7.0.13"
  },
  "keywords": [
    "imap",
Confidence
96% confidence
Finding
"nodemailer": "^7.0.13"

Known Vulnerable Dependency: nodemailer==7.0.13 — 6 advisory(ies): GHSA-268h-hp4c-crq3 (Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitrary); GHSA-c7w3-x93f-qmm8 (Nodemailer has SMTP command injection due to unsanitized `envelope.size` paramet); GHSA-p6gq-j5cr-w38f (Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAccess) +3 more

High
Category
Supply Chain
Confidence
99% confidence
Finding
nodemailer==7.0.13

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
fetch_allmail.js:7

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
fetch_emails.js:7

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/check_emails.js:7

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/imap.js:23