Generic Mail Client

Security checks across malware telemetry and agentic risk

Overview

This is a real mail-client skill, but it gives an agent broad ability to send email and mutate mailbox state without visible confirmation or send-safety controls.

Install only with a dedicated mailbox or app-specific password, not a personal primary password. Put host-side confirmation and limits around sending, Bcc, attachments, and mailbox moves, and regenerate dependencies from a trusted HTTPS registry before relying on this in a sensitive environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Intent-Code Divergence

Low

Confidence: 94% confidence
Finding: The code comment claims it extracts only the text/plain part, but when m.source is a string it returns the entire raw message source. That can expose full MIME content, hidden parts, metadata, and possibly attachment data to downstream consumers that expect only sanitized body text, increasing the risk of unintended data disclosure and unsafe rendering/parsing.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The exported sendEmail handler exposes a direct side-effecting operation that can send external email immediately with caller-supplied arguments, and this file shows no confirmation, policy gating, recipient restriction, or audit guardrails. In an agent skill context, that increases the risk of unintended outbound communication, spam, data leakage, or social-engineering actions triggered by a prompt or tool invocation.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The lockfile pins package tarball downloads to plain HTTP mirror URLs, which allows a network attacker or compromised intermediary to tamper with package contents in transit. While npm integrity hashes provide some protection, using an insecure transport for the software supply chain is still risky because it weakens provenance guarantees, enables downgrade or metadata manipulation scenarios, and indicates unsafe registry configuration for dependency retrieval.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal