Trust Assessment
protonmail received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 2 high, 2 medium, and 0 low severity. Key findings include Unofficial Docker image used for 'Proton Bridge', Use of third-party `hydroxide` client, IMAP search query vulnerable to injection.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 56/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unofficial Docker image used for 'Proton Bridge' The skill's setup instructions recommend 'Proton Bridge (official, recommended)' but then provide a `docker run` command using the `shenxn/protonmail-bridge` image. This is a third-party Docker image, not the official ProtonMail Bridge provided by Proton. Using unofficial images introduces a significant supply chain risk, as the image could be compromised or contain malicious code, potentially leading to credential theft or other security breaches. Replace the third-party Docker image with instructions to install and run the official ProtonMail Bridge client, or clearly state that `shenxn/protonmail-bridge` is a third-party alternative and explain the associated risks. If using a third-party image, provide guidance on verifying its integrity. | LLM | SKILL.md:15 | |
| HIGH | IMAP search query vulnerable to injection In `protonmail.py`, the `cmd_search` function constructs an IMAP search query using an f-string: `f'(OR SUBJECT "{args.query}" BODY "{args.query}")'`. If `args.query` contains IMAP special characters (e.g., double quotes, parentheses, or other IMAP command delimiters), an attacker could inject arbitrary IMAP search criteria. This could lead to bypassing intended filters, accessing unintended emails, or causing denial of service on the IMAP server. Sanitize or properly escape `args.query` before embedding it into the IMAP search string. `imaplib` does not provide a direct escaping function for search criteria, so manual escaping (e.g., replacing `"` with `\"` and handling other special characters) or using a more robust IMAP client library might be necessary. Alternatively, construct the search criteria as a list of strings for `imap.search` if the IMAP server supports it, or use a more restrictive search pattern. | LLM | protonmail.py:160 | |
| MEDIUM | Use of third-party `hydroxide` client The skill suggests using `hydroxide` by cloning a repository from `https://github.com/emersion/hydroxide.git`. While `hydroxide` is a known third-party client, relying on external, unvetted repositories for critical security infrastructure like email access introduces a supply chain risk. The repository could be compromised, or the software could contain vulnerabilities or malicious code. Advise users of the risks associated with third-party software for email access. If possible, provide instructions for verifying the integrity of the cloned repository (e.g., checking GPG signatures or specific commit hashes). | LLM | SKILL.md:27 | |
| MEDIUM | Skill accesses and displays sensitive email content The `protonmail.py` and `daily-scan.py` scripts are designed to connect to an IMAP server, fetch email headers (From, Subject, Date) and potentially full email bodies (in `cmd_read` of `protonmail.py`). This information is then printed to standard output. While this is the intended functionality of an email client skill, it means that sensitive user data (email content, sender/subject information) is accessed and processed by the skill. If the LLM is then instructed to summarize or transmit this output, it could lead to unintended data exposure. This is an inherent risk of any skill that handles personal communications. Implement strict access controls and data handling policies for the LLM's interaction with this skill. Ensure that the LLM is not instructed to store, transmit, or summarize sensitive email content beyond the user's explicit intent. Consider redacting sensitive parts of emails before displaying them to the user or LLM, if possible. Add clear warnings to the user about the sensitive nature of the data being processed. | LLM | protonmail.py:125 |
Scan History
Embed Code
[](https://skillshield.io/report/6cd86f3c3f0af729)
Powered by SkillShield