Back to skill

Security audit

Fastmail

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims, but it gives an agent broad control over private Fastmail email and calendar data without enough built-in safeguards for destructive or externally visible actions.

Install only if you trust this agent environment with broad access to your Fastmail email and calendar. Use revocable app-specific credentials, keep .env files out of source control, rotate secrets if exposed, and require explicit manual approval before any send, reply-all, delete, bulk email operation, calendar deletion/update, reminder removal, or RSVP action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill documentation indicates it uses environment variables and network access, but it does not declare permissions or prominently disclose those capabilities as permissions. In an agent/tooling context, undeclared access to secrets and external services weakens user trust boundaries and can enable unintended credential use or data exfiltration if the skill is invoked in a broader automation flow.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The calendar code hard-codes a +07:00 timezone assumption in date conversion logic despite the skill metadata claiming automatic system timezone detection. This can cause events and reminders to be created or interpreted at the wrong times, leading to integrity-impacting scheduling errors and potentially missed or unintended calendar actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises destructive and privacy-sensitive actions such as reading full email content, sending/replying, moving mail, deleting mail, and modifying calendars without any explicit warning or confirmation guidance. In an agent setting, these capabilities can cause irreversible user harm, privacy breaches, or unintended account changes if triggered from ambiguous prompts or automation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to export sensitive credentials, including an API token and Fastmail password/app password, but provides no warning about secret handling, storage, logging, shell history exposure, or least-privilege usage. Because the skill manages email and calendar data, compromised credentials could expose private communications and allow unauthorized account actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Email deletion is executed immediately by moving messages to Trash with no built-in confirmation, dry-run, or secondary safeguard in the code path. In an agent setting, this increases the risk that an accidental, prompt-induced, or ambiguous instruction results in destructive mailbox changes without user awareness.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Calendar events are deleted without any user-facing confirmation or contextual disclosure. In an agent-controlled workflow, this creates a realistic risk of unintended destructive changes to a user's schedule from ambiguous or manipulated prompts.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The CLI exposes a direct delete-email command that performs a destructive action immediately once invoked. In the context of an agent skill, lack of a confirmation barrier makes the command more dangerous because tool invocation may be driven by untrusted or mistaken natural-language instructions.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The CLI delete-event command directly deletes calendar events without confirmation or preview. In an agent environment, this can turn prompt mistakes or malicious prompt steering into destructive calendar modifications.

Missing User Warnings

High
Confidence
93% confidence
Finding
Bulk email deletion performs a destructive action over multiple items with no confirmation, rate limit, or preview of affected messages. In an agent skill that can be steered by user text, this substantially raises the blast radius of accidental or maliciously induced actions.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The code hard-codes a +07:00 timezone assumption instead of using user, system, or calendar timezone context. This can silently shift event times and reminders, causing integrity failures in scheduling and making agent-produced calendar actions unreliable.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
iCal parsing converts event timestamps using a fixed +07:00 offset, which can misrepresent remote calendar data and lead to wrong display, updates, or reminder timing. This is especially dangerous for a scheduling skill because time integrity is central to safe behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation exposes a destructive delete-email capability without any caution that it removes user data or may require confirmation before use. In an agent skill context, weak safety framing around destructive actions increases the chance of accidental invocation by users or upstream automation, leading to unintended mailbox data loss.

Missing User Warnings

High
Confidence
96% confidence
Finding
Bulk deletion is a higher-risk destructive operation because a single call can affect many messages at once, yet the documentation provides no caution about scope, confirmation, or recovery expectations. In an automated agent environment, this materially increases the blast radius of mistakes, prompt misunderstandings, or malicious instruction chaining.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Deleting calendar events can cause permanent loss of scheduling data and disrupt attendees or workflows, but the documentation lacks any warning or expectation of confirmation. For agent-driven tooling, omission of such cautions makes accidental deletion more likely, especially when event IDs are selected programmatically.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Responding to an invitation is an externally visible action that communicates attendance decisions to organizers and possibly other participants, yet the documentation does not warn users about that side effect. In an assistant skill, this can lead to unintended disclosures of intent or commitment if the action is taken automatically or without clear user awareness.

External Script Fetching

High
Category
Supply Chain
Content
### Requirements

- [Bun](https://bun.sh/) - JavaScript runtime (install with `curl -fsSL https://bun.sh/install | bash`)

## Troubleshooting
Confidence
97% confidence
Finding
curl -fsSL https://bun.sh/install | bash

Known Vulnerable Dependency: uuid==13.0.0 — 1 advisory(ies): CVE-2026-41907 (uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided)

Low
Category
Supply Chain
Confidence
83% confidence
Finding
uuid==13.0.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/cli.js:1020

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/cli.js:10614