ClawHub

ShellMail - Email Built for AI Agents

Security checks across malware telemetry and agentic risk

Overview

This is a real ShellMail email helper, but it gives an agent persistent mailbox access plus sending and destructive mailbox powers that are not fully safety-gated.

Install only if you are comfortable giving the agent persistent access to a dedicated ShellMail inbox and OTPs. Treat this skill as able to send email, modify messages, delete messages, and delete the address; require explicit user approval before outbound, recovery, or destructive actions, and avoid using it with personal or important email.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill clearly relies on shell and network capabilities (`curl`, `python3`, external API access) while not declaring explicit permissions. That weakens the platform's ability to present accurate trust boundaries and can cause users or orchestrators to approve a skill without understanding it can execute commands and reach external services using a sensitive inbox token. In this context, the risk is amplified because the token grants access to email contents and OTPs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The advertised purpose emphasizes reading inboxes and extracting OTPs, but the documented behavior also includes destructive and account-management actions such as delete, archive, create, recover, and delete-account. This mismatch can mislead users and higher-level agent policies into invoking a skill that has broader authority than expected, enabling unintended mailbox modification, account takeover/recovery flows, or permanent data loss. Because the skill handles highly sensitive email and OTP access, hidden breadth is especially dangerous.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata presents this as an inbox/OTP-reading tool, but the script exposes materially broader capabilities including sending mail, replying, deleting messages, archiving, and creating or deleting addresses. That capability mismatch is dangerous in an agent setting because orchestration layers or users may grant trust based on the benign-seeming description, while the tool can perform state-changing and destructive actions the user did not expect.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger language includes broad phrases like 'any email-related requests,' which can cause the skill to activate for generic tasks where the user did not intend mailbox access. In an agent setting, overbroad activation combined with inbox/OTP access increases the chance of unnecessary exposure of sensitive mail contents, accidental state changes, or use of the token in contexts outside the user's intent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The delete command irreversibly removes an email with no interactive confirmation, dry-run mode, or safety flag. In an autonomous or loosely supervised agent workflow, this can turn a mis-parse, prompt injection, or mistaken tool call into permanent data loss.

Missing User Warnings

High
Confidence
99% confidence
Finding
The delete-address command deletes the address and all associated mail without any warning or confirmation step. Because this is a highly destructive account-level action, accidental invocation or hostile prompting could cause complete mailbox loss rather than a single-message mistake.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal