qq-email
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted external data in the form of email content, which presents an indirect prompt injection surface. A malicious email could contain hidden instructions that influence the AI agent's behavior.
- Ingestion points: The scripts
scripts/receive.jsandscripts/get-body.jsread email subjects, summaries, and full bodies. - Boundary markers: There are no delimiters or boundary markers used to isolate the fetched email content from the agent's internal reasoning or subsequent instructions.
- Capability inventory: The skill provides the ability to send emails (
scripts/send.js), which could be abused if the agent is tricked by a malicious incoming email. - Sanitization:
scripts/get-body.jsperforms basic HTML tag stripping, but this is insufficient to sanitize natural language instructions. - [DATA_EXFILTRATION]: The scripts
scripts/get-body.jsandscripts/receive.jsconfigure the IMAP connection withtlsOptions: { rejectUnauthorized: false }. This explicitly disables SSL/TLS certificate verification. While targeting the well-known serviceimap.qq.com, this configuration makes the connection vulnerable to Man-in-the-Middle (MitM) attacks, potentially exposing the email credentials (QQ_EMAIL_AUTH_CODE) or email data to an attacker on the network.
Audit Metadata