ClawHub

Mail Mcp

Security checks across malware telemetry and agentic risk

Overview

This mail skill is understandable for email automation, but it grants broad mailbox control and installs unpinned remote code without enough safeguards.

Install only if you trust the upstream GitHub project and your mail account can tolerate broad agent access. Prefer reviewing or pinning the mail-mcp-server code, installing in an isolated environment, using an app-specific or limited mailbox credential, and requiring manual confirmation before any send, forward, delete, move, or folder-changing operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
96% confidence
Finding
The trigger list contains very broad terms such as "mail", "email", "邮箱", and related words that commonly appear in ordinary conversation. In an agent environment, this can cause unintended skill activation and lead the agent to initiate mailbox-related actions or setup flows when the user did not explicitly request them, increasing the risk of privacy exposure or unintended side effects.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises destructive operations like deleting, moving, copying mail and deleting or renaming folders without warning the user about the risks or the need for confirmation. In practice, an agent could perform irreversible or hard-to-recover mailbox changes based on ambiguous instructions, causing data loss or business disruption.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes sending email, searching mail, and handling attachments, but does not warn that mailbox contents, recipient data, and attachments may be transmitted to external mail infrastructure and exposed to third-party providers. This omission can mislead users about privacy and data-handling consequences, especially when the skill also encourages configuring credentials and sending attachments.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script installs a package directly from a GitHub repository using pip with --break-system-packages, which can alter the system-managed Python environment and bypass normal package safety boundaries. This is risky because it may overwrite or conflict with system packages, reduce reproducibility, and increase the blast radius if the upstream repository is compromised or changed unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal