Back to skill

Security audit

Near Email Skill

Security checks across malware telemetry and agentic risk

Overview

This documentation-only NEAR email skill is purpose-aligned, but users should handle payment keys carefully and confirm destructive or public-on-chain actions.

Install only if you trust the maintainer and the OutLayer/NEAR service. Store payment keys and NEAR private keys in environment variables or a secret manager, use encrypted send_email for private content, treat send_email_plaintext as public and durable blockchain data, and require explicit confirmation before deleting emails or sending attachments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill description says it can 'send and read' emails, but the documented API also exposes `delete_email`. This scope mismatch can cause agents or users to invoke a destructive capability they did not expect, weakening consent and increasing the chance of accidental data loss.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documented API includes a delete_email capability even though the skill metadata says it is for sending and reading emails. That scope mismatch can mislead downstream agents, policy engines, or users into granting the skill broader authority than expected, enabling unintended destructive actions against mailbox contents.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The payment-key examples show credential-bearing requests but do not warn that the `X-Payment-Key` is a secret equivalent to an API credential. In agent contexts, this omission increases the risk of logging, prompt leakage, source control exposure, or unsafe client-side embedding of reusable credentials.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Documenting `delete_email` without warning about irreversibility or confirmation requirements normalizes a destructive action as routine. In an agent skill, that can lead to unintended deletion of user communications, especially when an LLM infers actions from broad instructions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The delete_email action is destructive and the reference provides no warning, confirmation flow, recovery limitations, or safety guidance. In an agent context, this increases the chance that a model or integrator will invoke deletion automatically or on ambiguous instructions, causing irreversible data loss.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This plaintext HTTPS example demonstrates sending email content via the 'send_email_plaintext' action without a nearby warning that contents may be publicly visible on-chain. Users may copy the snippet for sensitive notifications and unintentionally disclose personal, financial, or operational data permanently.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The NEAR transaction example sends plaintext email body data on-chain but lacks an immediate local warning, increasing the likelihood that developers treat it as suitable for ordinary private email. Because blockchain data is durable and broadly visible, misuse can expose sensitive message contents and metadata.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Python plaintext send example omits a privacy warning even though it transmits subject and body in a plaintext action. That omission can lead users to send secrets, credentials, financial details, or personal data into a public and persistent channel.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This Python NEAR transaction example sends plaintext content without a nearby disclosure that the data may be publicly visible on-chain. The context is especially risky because transaction-based examples often look authoritative and production-ready, making accidental sensitive-data exposure more likely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.