๐Ÿ›ก๏ธ SafeAgentSkills

Lel Mail

ยท v1.1.4

High Risk

Send and read email via a combination of python and bash scripts which makes use of the main agent for reasoning and logic. This skill enables the agent to write to memory based on contents in the email and to reach out to the user either to notify them of happenings or to request inputs to respond. This skill also contains a python script to read and manage the email queue containing functionality to list pending outgoing emails and delete emails before they can be sent out. Please note that this skill enables the agent to act upon received emails by adding to agent memory and sending responses

H:4 D:4 A:2 C:1

โš ๏ธ Hazard Flags

EXEC FS_READ_WORKSPACE NET_EGRESS_ANY CREDS_ENV PI_WEB

๐Ÿ“‹ Capabilities

Execution

  • โœ… Shell execution
  • โŒ Code execution
  • โŒ Install dependencies
  • โŒ Persistence
  • Privilege: user

Filesystem

  • โœ… Read workspace
  • โŒ Write workspace
  • โŒ Read home
  • โŒ Write home
  • โŒ Read system
  • โŒ Delete

Network

  • Egress: any
  • โŒ Ingress

Credentials

  • โœ… Environment vars
  • โŒ Credential files
  • โŒ Browser data
  • โŒ Keychain

Actions

โŒ send messagesโŒ post publicโŒ purchaseโŒ transfer moneyโŒ deployโŒ delete external

๐Ÿ”’ Containment

Level: maximum

Required:
  • SANDBOX_CONTAINER: Code execution capability
Recommended:
  • LOG_ACTIONS: Audit trail for all actions

โšก Risks

Unauthorized tool use: MCP_SYS_CRITICAL_ACCESS high

Mitigation: Avoid accessing system directories unless absolutely necessary.

Command injection risk: MCP_SQL_BLIND high

Mitigation: Remove SQL exploitation patterns.

Social engineering indicators: SOCIAL_ENG_VAGUE_DESCRIPTION low

Mitigation: Provide clear, detailed description of skill functionality

Data exfiltration patterns: INSTRUCTED_SENSITIVE_SERVICE_ACCESS high

Mitigation: Clearly document which sensitive services are accessed and why; use minimal required permissions

Want a deeper analysis?

This report was generated by static analysis. Get an LLM-powered deep review with behavioral reasoning and attack surface mapping.

๐Ÿง  Deep Analysis โ€” $5.00

๐Ÿšจ Incident Response

Kill switch: Stop the agent process

Containment: Review logs for unexpected actions

Recovery: Depends on skill capabilities

๐Ÿ“„ Raw SSDS JSON click to expand 
{
  "meta": {
    "document_id": "ssds:auto:lel-mail:1.1.4",
    "ssds_version": "0.2.0",
    "scanner_version": "0.4.0+fe6fd9123d50",
    "created_at": "2026-03-05T13:34:58.522Z",
    "created_by": {
      "agent": "safeagentskills-cli/generate-ssds"
    },
    "language": "en",
    "notes": "Auto-generated SSDS. Manual review recommended."
  },
  "skill": {
    "name": "Lel Mail",
    "version": "1.1.4",
    "format": "agent_skill",
    "description": "Send and read email via a combination of python and bash scripts which makes use of the main agent for reasoning and logic. This skill enables the agent to write to memory based on contents in the email and to reach out to the user either to notify them of happenings or to request inputs to respond. This skill also contains a python script to read and manage the email queue containing functionality to list pending outgoing emails and delete emails before they can be sent out. Please note that this skill enables the agent to act upon received emails by adding to agent memory and sending responses",
    "publisher": "unknown",
    "source": {
      "channel": "local"
    },
    "artifact": {
      "sha256": "bce4b067be0596d796fcd6a004c07fc8a752da4bb4c314b4c1cf4afa6e59cdf2",
      "hash_method": "files_sorted"
    }
  },
  "capabilities": {
    "execution": {
      "can_exec_shell": true,
      "can_exec_code": false,
      "privilege_level": "user",
      "can_install_deps": false,
      "can_persist": false
    },
    "filesystem": {
      "reads_workspace": true,
      "reads_user_home": false,
      "reads_system": false,
      "writes_workspace": false,
      "writes_user_home": false,
      "writes_system": false,
      "can_delete": false
    },
    "network": {
      "egress": "any",
      "ingress": false
    },
    "credentials": {
      "reads_env_vars": true,
      "reads_credential_files": false,
      "reads_browser_data": false,
      "reads_keychain": false
    },
    "services": [
      {
        "service": "email",
        "operations": [
          "read",
          "write"
        ]
      }
    ],
    "actions": {
      "can_send_messages": false,
      "can_post_public": false,
      "can_purchase": false,
      "can_transfer_money": false,
      "can_deploy": false,
      "can_delete_external": false
    },
    "prompt_injection_surfaces": [
      "web"
    ],
    "content_types": [
      "general"
    ]
  },
  "hazards": {
    "hdac": {
      "H": 4,
      "D": 4,
      "A": 2,
      "C": 1
    },
    "flags": [
      "EXEC",
      "FS_READ_WORKSPACE",
      "NET_EGRESS_ANY",
      "CREDS_ENV",
      "PI_WEB"
    ],
    "custom_flags": [
      {
        "code": "TOOL_ABUSE",
        "name": "Unauthorized Tool Use",
        "description": "MCP_SYS_CRITICAL_ACCESS: Access to critical system directories"
      },
      {
        "code": "SOCIAL_ENGINEERING",
        "name": "Social Engineering Risk",
        "description": "SOCIAL_ENG_VAGUE_DESCRIPTION: Skill description is too vague or missing"
      },
      {
        "code": "COMMAND_INJECTION",
        "name": "Command Injection Risk",
        "description": "MCP_SQL_BLIND: Blind SQL injection, system table access, or stored procedure abuse"
      },
      {
        "code": "DATA_EXFILTRATION",
        "name": "Data Exfiltration Risk",
        "description": "INSTRUCTED_SENSITIVE_SERVICE_ACCESS: Instructs agent to access sensitive services (email, calendar, contacts, drive)"
      }
    ],
    "confidence": {
      "level": "medium",
      "basis": [
        "static_analysis"
      ],
      "notes": "Detected 4 security patterns (6 vendored rule hits). Review recommended."
    },
    "rationale": {
      "H": "H4: Critical: Privilege escalation or malware detected",
      "D": "D4: Critical: Credential theft or data exfiltration",
      "A": "A2: Service integrations detected",
      "C": "C1: General content"
    }
  },
  "containment": {
    "level": "maximum",
    "required": [
      {
        "control": "SANDBOX_CONTAINER",
        "reason": "Code execution capability"
      }
    ],
    "recommended": [
      {
        "control": "LOG_ACTIONS",
        "reason": "Audit trail for all actions"
      }
    ],
    "uncontained_risk": "Risk level depends on manual review of actual capabilities."
  },
  "risks": {
    "risks": [
      {
        "risk": "Unauthorized tool use: MCP_SYS_CRITICAL_ACCESS",
        "severity": "high",
        "mitigation": "Avoid accessing system directories unless absolutely necessary."
      },
      {
        "risk": "Command injection risk: MCP_SQL_BLIND",
        "severity": "high",
        "mitigation": "Remove SQL exploitation patterns."
      },
      {
        "risk": "Social engineering indicators: SOCIAL_ENG_VAGUE_DESCRIPTION",
        "severity": "low",
        "mitigation": "Provide clear, detailed description of skill functionality"
      },
      {
        "risk": "Data exfiltration patterns: INSTRUCTED_SENSITIVE_SERVICE_ACCESS",
        "severity": "high",
        "mitigation": "Clearly document which sensitive services are accessed and why; use minimal required permissions"
      }
    ],
    "limitations": [
      "Static analysis only - runtime behavior not verified"
    ]
  },
  "incident_response": {
    "kill_switch": [
      "Stop the agent process"
    ],
    "containment": [
      "Review logs for unexpected actions"
    ],
    "recovery": [
      "Depends on skill capabilities"
    ]
  },
  "evidence": [
    {
      "evidence_id": "EV:file-1",
      "type": "file_excerpt",
      "title": "scripts/check_email.sh",
      "file_path": "scripts/check_email.sh"
    },
    {
      "evidence_id": "EV:file-2",
      "type": "file_excerpt",
      "title": "scripts/email_send.sh",
      "file_path": "scripts/email_send.sh"
    },
    {
      "evidence_id": "EV:file-3",
      "type": "file_excerpt",
      "title": "scripts/email_sender_daemon.sh",
      "file_path": "scripts/email_sender_daemon.sh"
    },
    {
      "evidence_id": "EV:file-4",
      "type": "file_excerpt",
      "title": "scripts/manage_queue.py",
      "file_path": "scripts/manage_queue.py"
    },
    {
      "evidence_id": "EV:file-5",
      "type": "file_excerpt",
      "title": "SKILL.md",
      "file_path": "SKILL.md"
    },
    {
      "evidence_id": "EV:file-6",
      "type": "file_excerpt",
      "title": "_meta.json",
      "file_path": "_meta.json"
    },
    {
      "evidence_id": "EV:cisco-1",
      "type": "file_excerpt",
      "title": "MCP_SYS_CRITICAL_ACCESS [HIGH] scripts/check_email.sh:1: #!/usr/bin/env bash",
      "file_path": "scripts/check_email.sh"
    },
    {
      "evidence_id": "EV:cisco-2",
      "type": "file_excerpt",
      "title": "MCP_SYS_CRITICAL_ACCESS [HIGH] scripts/email_send.sh:1: #!/usr/bin/env bash",
      "file_path": "scripts/email_send.sh"
    },
    {
      "evidence_id": "EV:cisco-3",
      "type": "file_excerpt",
      "title": "MCP_SYS_CRITICAL_ACCESS [HIGH] scripts/email_sender_daemon.sh:1: #!/usr/bin/env bash",
      "file_path": "scripts/email_sender_daemon.sh"
    },
    {
      "evidence_id": "EV:cisco-4",
      "type": "file_excerpt",
      "title": "MCP_SQL_BLIND [HIGH] scripts/email_sender_daemon.sh:116: time.sleep(delay_seconds)",
      "file_path": "scripts/email_sender_daemon.sh"
    },
    {
      "evidence_id": "EV:cisco-5",
      "type": "file_excerpt",
      "title": "INSTRUCTED_SENSITIVE_SERVICE_ACCESS [HIGH] SKILL.md:3: description: Send and read email via a combination of python and bash scripts wh",
      "file_path": "SKILL.md"
    },
    {
      "evidence_id": "EV:cisco-6",
      "type": "file_excerpt",
      "title": "SOCIAL_ENG_VAGUE_DESCRIPTION [LOW] SKILL.md:1: ---",
      "file_path": "SKILL.md"
    }
  ]
}