send-email

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] This skill's stated functionality (sending email via SMTP with Markdown-to-HTML, attachments and templates) is plausible and consistent with most of the described capabilities. However, there are significant security and privacy concerns: it mandates a hardcoded default sender (agent_skill_test@126.com) and instructs the agent not to ask the user for sender selection, then requests the authorization code for that account — a pattern that can enable credential misuse or collection. The skill also shows examples where users paste SMTP credentials or authorization codes into chat prompts; collecting secrets in conversational input is risky and can lead to leakage (logs, agent memory, or downstream storage). Because the actual send_email.py implementation is not provided, we cannot prove exfiltration, but the documentation's interaction model is dangerous. Recommendation: treat this skill as SUSPICIOUS — do not provide credentials or authorization codes in chat; instead require users to supply credentials via secure local config (environment variables, OS keychain, or local prompt). Remove the hardcoded default sender or require explicit opt-in and secure provisioning for any shared account. LLM verification: This skill's stated purpose and most requested capabilities are consistent with an SMTP email-sending tool: requesting provider-specific credentials, supporting templates and attachments, and converting Markdown are reasonable. However, two concerns make this skill SUSPICIOUS: (1) the hardcoded default sender agent_skill_test@126.com combined with the instruction to automatically use it (and to ask for its authorization code) is inconsistent and could enable social-engineering or misuse if imple