ClawHub

Agentmail.to Inbox Ops

Security checks across malware telemetry and agentic risk

Overview

The skill is purpose-built for Agentmail inbox work, but it can send replies and change mailbox state in bulk without a separate confirmation step.

Install only if you are comfortable giving these scripts access to an Agentmail inbox. Use a scoped API key where possible, keep `.env`, logs, and downloaded attachments private, run reply workflows with `--dry-run` first, avoid broad sender allowlist values, and prefer patching the reply flow to require an explicit confirmation flag before real sends.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs the agent to use scripts that require environment secrets, local file access, network access, and shell execution, yet the skill declares no permissions or capability boundaries. This creates a trust and governance gap: operators and any enforcement layer cannot accurately understand or constrain what the skill can do, increasing the chance of unintended email actions, attachment handling, or secret exposure.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill repeatedly frames itself as mandatory for all Agentmail.to email actions and 'not optional,' which is overly broad and can pressure an agent into invoking a high-capability skill even when a narrower or safer path would suffice. In context, this matters because the skill can read emails, download untrusted attachments, send replies, and change message state, so over-invocation expands exposure to sensitive content and increases the chance of unintended side effects.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The notes document behavior that can automatically reply to unread emails, add labels, and mark messages as read without an explicit warning that the skill performs state-changing mailbox actions. In an inbox-operations skill, this is materially risky because users may invoke it expecting analysis or retrieval, but it can modify communication state and send outbound messages, causing unintended actions, missed emails, or reputational harm.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This script performs real outbound replies and changes message labels/read state in bulk based only on CLI arguments, without any built-in confirmation, safety interlock, or prominent warning at the point of action. In an inbox-operations skill, that makes accidental misuse more likely: a bad sender filter, unexpected inbox contents, or operator error can trigger unintended auto-replies and state changes to multiple messages.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal