ClawHub

IMAP SMTP Email

Security checks across malware telemetry and agentic risk

Overview

This email skill is coherent for IMAP/SMTP use, but its optional watcher can run OpenClaw over mailbox content and forward summaries to another channel while inheriting mail credentials.

Install only if you are comfortable giving this skill access to the configured mailbox. Prefer a dedicated mailbox or app password, review the allowed read/write directories, treat the credential file as sensitive, avoid broad reply-all use, and do not enable the watcher unless you trust the configured OpenClaw binary, destination channel, and automatic forwarding behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The optional watcher extends the skill from mailbox access into cross-channel forwarding via the local OpenClaw CLI, which can exfiltrate summarized email content outside the original trust boundary. Because emails may contain sensitive business or personal data, forwarding summaries to another channel materially increases exposure and creates a second delivery path that users may not anticipate.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This watcher goes beyond passive IMAP/SMTP handling and executes an external `openclaw` binary both to run an agent over email-derived state and to send outbound messages. That creates a privilege boundary crossing: untrusted email content can influence downstream agent behavior and trigger external actions, which increases the risk of prompt-injection-driven data access, unintended tool use, or unauthorized notifications.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
Defaulting to reply-all for business-thread replies increases the chance of unintended disclosure to all original recipients, especially when the agent is drafting or sending on a user's behalf. In email workflows, mistaken reply-all behavior can leak confidential content, reveal internal discussions, or contact external parties without explicit intent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script collects an email password/app password and writes it directly into a local .env-style file in plaintext. Although it later restricts file permissions with chmod 600, plaintext secret-at-rest storage still increases exposure through backups, local compromise, accidental disclosure, shell/user mistakes, or other processes reading the file; the lack of a clear warning before persistence makes this worse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script automatically triggers an SMTP test that sends a real email to the configured address immediately after setup, without a last-moment consent prompt. This can cause unintended outbound mail activity, leak that the account is active/configured, create audit/logging artifacts, and surprise users in environments where sending mail has policy or compliance implications.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal