Security audit

batch-send-mail

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward bulk email skill, but users should handle saved SMTP credentials and real sends carefully.

Install only if you are comfortable with a tool that can send bulk email through your SMTP account. Use --dry-run first, verify recipients, CCs, template substitutions, subject, and attachments, then explicitly approve any real send. Prefer an app-specific SMTP password or authorization code, protect or delete config/config.ini after use, and avoid using your primary account password.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger instructions are overly broad, including generic phrases like '批量发邮件', '群发邮件', and '批量发送邮件', with wording that says the skill should be used whenever the user says them. Broad triggers increase the chance of accidental activation for sensitive actions involving outbound email and credential handling.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation states that SMTP passwords or authorization codes are saved to config/config.ini for later reuse, but provides no explicit warning about local secret storage risks. Storing email credentials in a plaintext config file can lead to credential theft, unauthorized email sending, and broader account compromise if the file is read by other users, tools, or malware.

Vague Triggers

Medium

Confidence: 75% confidence
Finding: The eval prompt asks to "检查 batch-send-mail 技能" and "用示例文件生成预览", which is broad enough to overlap with ordinary user requests to inspect or test the skill rather than a narrowly scoped evaluation-only trigger. In a skill that can send bulk email and handle SMTP credentials, broad trigger phrasing increases the chance of unintended activation in non-eval contexts, potentially leading to privacy, spam, or credential-handling risks if execution is not constrained to dry-run mode.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script persistently stores the SMTP password/authorization code in a local INI file in plaintext. Any local user, malware, backup system, or accidental repository inclusion could expose those credentials, enabling unauthorized email sending, account abuse, and potential compromise of other services if the secret is reused. In this skill's context, the risk is elevated because the functionality directly enables bulk outbound email, so stolen credentials can be abused immediately for spam or phishing.

Unpinned Dependencies

Low

Category: Supply Chain
Content: pandas>=2.0.0 openpyxl>=3.1.0
Confidence: 94% confidence
Finding: pandas>=2.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: pandas>=2.0.0 openpyxl>=3.1.0
Confidence: 95% confidence
Finding: openpyxl>=3.1.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.