Email Operations

Security checks across malware telemetry and agentic risk

Overview

This email skill is mostly coherent, but it needs review because it can send local files and save email attachments using unsafe sender-provided filenames.

Install only if you are comfortable giving this skill access to the configured mailbox and send authority. Use an app-specific password, review recipients, subject, body, body-file paths, and attachment paths before sending, and save attachments only into a disposable folder until filenames are sanitized. VirusTotal was pending, so this verdict is based on artifact behavior rather than VT telemetry.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill includes helper functionality to read arbitrary local files and later uses that data as outbound email body content or attachments. In an agent skill context, this expands the capability from mailbox interaction into local file access and exfiltration, which is dangerous because a prompt or tool invocation could cause sensitive host files to be emailed out without adequate boundary checks.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The CLI send flow accepts user-supplied body-file, html-body-file, and attachments paths and directly reads those local files before sending email. That creates a straightforward exfiltration path from the local filesystem to an external recipient, which is especially risky for an agent skill that may be invoked with untrusted or indirect instructions.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger conditions are overly broad: the skill says it should activate whenever a request involves email send/receive operations even if the user does not explicitly mention SMTP/IMAP. Broad activation increases the chance of misfires on ordinary conversation, which is dangerous because this skill can access mailboxes and send messages.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill supports high-impact actions including reading email content, downloading attachments, sending emails, and bulk sending, but the documentation contains no user-facing warnings, approval gates, or confirmation requirements. In context, this is more dangerous because mailbox access exposes sensitive personal or business data and outbound email can be abused for impersonation, spam, or data exfiltration.

Missing User Warnings

Medium

Confidence: 77% confidence
Finding: The attachment-saving routine writes email attachments to attacker-influenced filenames on local disk with no user confirmation, safety disclosure, or sanitization of dangerous names. In a mail-processing skill, this can lead to unintended local persistence of untrusted content and potentially path traversal or overwrite-adjacent effects depending on the attachment filename supplied by a sender.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal