Trust Assessment
mailbox received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 3 high, 2 medium, and 0 low severity. Key findings include Missing required field: name, Unpinned external dependency, Access to highly sensitive email management tool.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned external dependency The skill requires installing `mailbox-cli` globally via `npm install -g mailbox-cli` without specifying a version. This allows for arbitrary code execution if a malicious update is pushed to the `mailbox-cli` package on npm, potentially compromising the system running the agent. An attacker could publish a new version of `mailbox-cli` containing malicious code, which would then be installed and executed by the system when the skill is set up or updated. Pin the dependency to a specific, known-good version (e.g., `npm install -g mailbox-cli@1.2.3`) and consider using a package lock file or a private registry to ensure integrity and prevent unexpected changes. | LLM | SKILL.md:10 | |
| HIGH | Access to highly sensitive email management tool The skill grants the AI agent access to the `mailbox` CLI tool, which can perform operations such as listing, viewing, and deleting emails. This provides the agent with broad and sensitive access to a user's personal communications, posing a significant privacy and security risk if misused or compromised. For example, a compromised agent could delete critical emails or expose private conversations. Carefully evaluate the necessity of granting an AI agent full email management capabilities. Implement strict access controls, user consent mechanisms, and granular permissions within the `mailbox` tool or the agent's execution environment to limit potential damage. Consider read-only access if full management is not strictly required. | LLM | SKILL.md:13 | |
| HIGH | Potential for command injection via CLI arguments The `mailbox` CLI tool is invoked with arguments like `<email_uid>` and `<account_id>`. If these arguments are derived from untrusted user input and are not rigorously sanitized by the AI agent before being passed to the shell, an attacker could inject malicious commands (e.g., `123; rm -rf /`) into the command string, leading to arbitrary command execution on the host system. The `SKILL.md` itself does not show sanitization, indicating a potential vulnerability in the agent's implementation. Ensure all arguments passed to the `mailbox` CLI are strictly validated and sanitized. Use a robust argument parsing library or escape shell metacharacters for any user-provided input before constructing the command string. Prefer using a safe subprocess execution method that avoids shell interpretation where possible. | LLM | SKILL.md:15 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/leeguooooo/mailbox/SKILL.md:1 | |
| MEDIUM | Skill enables access to sensitive user email data The `mailbox` CLI tool, which this skill utilizes, is designed to access and manage user emails. Emails often contain highly sensitive personal and confidential information. While the skill itself does not exfiltrate data, it provides the AI agent with the capability to read and potentially process this sensitive information, creating a vector for data exfiltration if the agent or the underlying `mailbox-cli` tool is compromised. For instance, a malicious prompt could instruct the agent to read emails and then transmit their content to an external service. Implement robust logging and monitoring of all `mailbox` CLI interactions. Ensure that the agent's environment is isolated and that any data processed from emails is handled with the highest security standards (e.g., encryption, redaction, strict retention policies). Restrict the agent's ability to transmit raw email content externally. | LLM | SKILL.md:15 |
Scan History
Embed Code
[](https://skillshield.io/report/9c003e03a1638e78)
Powered by SkillShield