ClawHub

Doro Email To Calendar

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent email-to-calendar purpose, but it needs review because it can broadly scan email, automatically change email and calendar state, persist email-derived logs, alter global workflow files, and contains a real shell-execution bug.

Review before installing. Use this only if you intend to grant an agent access to read email and mutate calendars. Prefer forwarded-only mode, disable mark-read/archive and auto-dispose until tested, avoid attendee notifications unless you approve each invite, and patch the shell=True lookup-validation bug before using validation on writable tracking data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (31)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
else:
                            print(f"Orphaned event detected: {event_id} - removing from tracking", file=sys.stderr)
                            if script_dir:
                                subprocess.run(
                                    f'{script_dir}/delete_tracked_event.sh --event-id "{event_id}"',
                                    shell=True, capture_output=True
                                )
Confidence
98% confidence
Finding
subprocess.run( f'{script_dir}/delete_tracked_event.sh --event-id "{event_id}"', shell=True, cap

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The bootstrap instructs the agent to read and potentially modify a global HEARTBEAT.md file, which persists behavior outside the immediate task of converting emails into calendar events. This creates cross-skill workflow influence and unauthorized persistence, especially because the modification is framed as automatic bootstrap behavior rather than something requiring explicit user approval.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
The instruction to log all scanning activity silently introduces unnecessary data retention for email-derived activity without clear user visibility or strict minimization. In an email-processing skill, silent audit trails can accumulate sensitive metadata or content and increase exposure if logs are later accessed, exfiltrated, or reused beyond the original purpose.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The skill states 'ALWAYS ASK BEFORE CREATING' but also instructs the agent to apply auto-create patterns and labels some events as 'AUTO-CREATE', creating conflicting authority over whether user consent is required. In practice, this can lead to unauthorized calendar creation from email content, especially in inbox-scanning mode where untrusted messages may trigger actions without fresh confirmation.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The workflow reads a local config file and invokes an external calendar CLI that can create events and send updates to attendees, but the document does not clearly constrain when these side effects are allowed or emphasize explicit user authorization before using local configuration and external services. In an agent setting, this broad operational pattern increases the risk of unintended data access and external actions, especially because forwarded email content is transformed into calendar content and invitations.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The script’s documented behavior understates its actual side effects: beyond creating or updating calendar events, it also updates invite tracking and may disposition the source email. This can mislead users, reviewers, or calling agents into granting broader authority than intended, increasing the risk of unintended state changes in another system.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The module is presented as an email-to-calendar helper, but it also exposes a general-purpose send_email capability. In an agent skill context, this expands the tool's authority beyond the apparent task scope and can enable unintended or abusive outbound communication if the agent or calling workflow is compromised or insufficiently constrained.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
`lookup_events()` is documented as a read-only lookup that prints JSON, but in validation mode it can delete tracking entries by launching a shell script. This hidden side effect is dangerous because callers may invoke a seemingly safe read operation in contexts where mutation is unexpected, increasing the chance of integrity loss and making review and safe use harder.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The bootstrap directs the agent to add sections to HEARTBEAT.md and initialize pending_invites.json automatically, without any user-facing notice or confirmation. Persistent file creation and workflow alteration without consent is risky because it changes future agent behavior and creates stored state that the user may not expect or monitor.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup flow explicitly encourages users to press Enter to accept defaults that include mailbox-modifying actions such as marking messages read, archiving them, and auto-processing calendar replies. This is dangerous because users may consent to destructive or state-changing behavior without a clear warning, increasing the risk of silent data handling changes and missed email visibility.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill supports direct inbox monitoring that scans broad unread email scope for event indicators, which expands activation to many messages beyond explicitly forwarded or selected emails. This increases the chance that untrusted, irrelevant, or maliciously crafted emails are processed and converted into actions or stored records without sufficiently narrow user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The top-level description highlights convenience features but does not prominently disclose that the skill performs silent activity logging, stores extracted email-derived data, and may automatically mark/archive emails after event creation. Missing upfront disclosure undermines informed consent and can surprise users with state changes to sensitive communications.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes generic phrases such as "check emails" and "scan inbox," which can cause the skill to activate in situations broader than a user may intend. Because this skill requests email-reading and calendar-writing capabilities, accidental invocation could expose inbox contents and create or modify calendar events without sufficiently clear user intent.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The description explicitly advertises "silent activity logging," which is risky in a skill that reads email and updates calendar data. Silent logging of sensitive communications and derived event details without clear notice, consent, retention limits, or purpose justification can lead to privacy violations, unauthorized data collection, and misuse of highly sensitive personal or business information.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document instructs the system to delete or update existing calendar events when cancellation language is detected, but it does not require user confirmation, strong event identity verification, or audit/logging. In an email-extraction context, this can cause unintended modification or deletion of legitimate calendar entries if cancellation text is misparsed, spoofed, or matched to the wrong event.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow stores extracted data from a forwarded email into persistent memory without any notice, consent, retention limit, or data-minimization guidance. Because forwarded emails can contain personal, confidential, or client information, silent retention creates privacy and compliance risk even if the feature is intended for convenience.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow creates calendar events from email-derived content and uses '--send-updates all', which can transmit information externally to configured attendees without an explicit warning or confirmation that data from the forwarded email will be shared. This is particularly risky because the description includes sender identity, location, and action items copied from the email, so a parsing error or maliciously crafted email could cause unintended disclosure to third parties.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script records email-related metadata into a persistent local activity log without any runtime notice, consent prompt, or visible indication to the user. In an agent-skill context, silent collection of subjects, titles, reasons, and email identifiers can create privacy and compliance risk because sensitive operational metadata may be retained unexpectedly and later exposed to anyone with access to the workspace or account.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This script performs a destructive action (deleting a calendar event) immediately once invoked, with no built-in confirmation, dry-run mode, or secondary validation of the target event. In an agent setting, where parameters may be supplied automatically or influenced by user prompts/tool chaining, this increases the risk of accidental or unauthorized deletion of calendar data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically invokes email disposition after event creation whenever an email ID is present, with no explicit confirmation or warning in this file. In an agent skill context, hidden automatic mark-read/archive behavior is dangerous because it can silently alter evidence, user workflow, or auditability of the originating email.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This script automatically searches for unread messages from calendar-notification@google.com and then calls disposition_email.sh to modify mailbox state without an explicit confirmation step at execution time. Even though the behavior is intentional and gated by a config flag, it still performs mailbox-changing actions based on broad matching criteria and can cause unintended loss of visibility into important calendar updates if messages are misclassified or the sender/query assumptions are wrong.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This code persistently stores email-derived activity data under the user's home directory, including email IDs, subjects, skip reasons, and extracted event titles, without any notice, consent, retention control beyond a fixed session cap, or protection visible in this file. In the context of an email-processing skill, that metadata can reveal sensitive communications, calendar content, and user behavior, creating a privacy and local data exposure risk if the workstation, account, backups, or other tools access these files.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The delete path performs a destructive calendar action immediately, with no confirmation, dry-run mode, or safeguard against accidental or unauthorized invocation. In an agent skill context, this increases the chance of unintended event deletion from ambiguous prompts, model mistakes, or malicious prompt input routed into the tool.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
When attendees are added during updates, the code may automatically enable --send-updates all if supported, causing external emails/notifications to be sent without an explicit user-facing disclosure or consent gate. In an agent workflow, this can leak meeting details or trigger unwanted communications to third parties due to prompt ambiguity or automation errors.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
During event creation, adding attendees may automatically trigger --send-updates all, which can send invitations or notices externally without clear user acknowledgement. In a skill that converts email content into calendar actions, this is particularly risky because untrusted or misparsed content could cause unintended outreach or disclosure of calendar metadata.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal