スキル email-notify 監査履歴
📦

監査履歴

email-notify - 6 監査

監査バージョン 6

最新 中リスク

Jun 28, 2026, 08:18 PM

Static findings for network, environment access, filesystem references, and documented commands are mostly expected for an SMTP notification skill. No prompt injection or malicious intent was found, but the skill can email task summaries and uses SMTP credentials from environment variables, so users need a clear data disclosure warning.

2
スキャンされたファイル
282
解析済み行数
13
検出結果
codex
監査者
中リスクの問題 (3)
Task Summary Can Be Sent Over SMTP
The helper sends email through smtplib and includes the task title, status, project, device name, and summary. This is the intended feature, but it can disclose sensitive task details if the summary contains secrets or private project information.
SMTP Credentials Are Read From Environment Variables
The script reads SMTP host, username, password, sender, recipients, and TLS settings from environment variables. This is normal for SMTP configuration, but credentials can be exposed if shell profiles or logs are mishandled.
Plaintext Email Password Configuration Is Recommended
The instructions tell users to place CODEX_EMAIL_PASSWORD in shell startup files. This is easy to use but increases exposure to local users, backups, terminal history, and accidental sharing.
低リスクの問題 (5)
AGENTS.md Project Name Read Is Limited
The script searches upward for AGENTS.md and reads it to extract a project name. This is filesystem access, but it is limited to project metadata and no file contents are emailed except the extracted name.
Documented Command Is Not Dynamic Shell Execution
The command in SKILL.md is a user-facing example for running the helper script. I did not find code that builds or executes shell commands dynamically.
Weak Cryptography Finding Is Not Supported By Evidence
The weak cryptography static finding appears to be triggered by SMTP text, not by a weak hash, cipher, or custom cryptographic implementation. The script uses standard SMTP, SMTP_SSL, and STARTTLS controls.
System Reconnaissance Finding Is Not Supported By Evidence
The flagged lines validate boolean environment values and tell users to avoid secrets in summaries. I did not find host probing, process listing, network scanning, or system inventory collection.
Hidden Home Path References Are Installation Documentation
The skill mentions shell startup files and a ~/.codex skill path. These references are expected for local configuration, but users should protect files containing credentials.

検出されたパターン

Network Transmission With User-Supplied SummaryCredential Use For Outbound SMTP

監査バージョン 5

低リスク

Jan 16, 2026, 08:48 PM

This skill is a straightforward SMTP email notification utility. It reads environment variables for SMTP configuration, reads AGENTS.md for optional project name extraction, and sends task completion notifications via standard Python smtplib. All detected patterns are expected functionality - email sending is the stated purpose, environment access is for configuration, and filesystem reads are for project name resolution. No malicious behavior confirmed.

3
スキャンされたファイル
521
解析済み行数
3
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

リスク要因

🌐 ネットワークアクセス (1)
🔑 環境変数 (1)
📁 ファイルシステムへのアクセス (1)

監査バージョン 4

低リスク

Jan 16, 2026, 08:48 PM

This skill is a straightforward SMTP email notification utility. It reads environment variables for SMTP configuration, reads AGENTS.md for optional project name extraction, and sends task completion notifications via standard Python smtplib. All detected patterns are expected functionality - email sending is the stated purpose, environment access is for configuration, and filesystem reads are for project name resolution. No malicious behavior confirmed.

3
スキャンされたファイル
521
解析済み行数
3
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

リスク要因

🌐 ネットワークアクセス (1)
🔑 環境変数 (1)
📁 ファイルシステムへのアクセス (1)

監査バージョン 3

低リスク

Jan 8, 2026, 05:57 AM

This skill is a straightforward SMTP email notification script. It reads environment variables and AGENTS.md for configuration, then sends task completion notifications via SMTP. No malicious behavior detected. The code matches its stated purpose of sending email notifications.

2
スキャンされたファイル
282
解析済み行数
4
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

リスク要因

監査バージョン 2

低リスク

Jan 8, 2026, 05:57 AM

This skill is a straightforward SMTP email notification script. It reads environment variables and AGENTS.md for configuration, then sends task completion notifications via SMTP. No malicious behavior detected. The code matches its stated purpose of sending email notifications.

2
スキャンされたファイル
282
解析済み行数
4
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

リスク要因

監査バージョン 1

低リスク

Jan 8, 2026, 05:57 AM

This skill is a straightforward SMTP email notification script. It reads environment variables and AGENTS.md for configuration, then sends task completion notifications via SMTP. No malicious behavior detected. The code matches its stated purpose of sending email notifications.

2
スキャンされたファイル
282
解析済み行数
4
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

リスク要因