ClawHub
Back to skill

Security audit

IMAP Client

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed IMAP email helper that needs mailbox credentials to read, search, and download mail, with real but documented credential-handling risks.

Install only if you are comfortable giving the agent access to the configured mailbox. Use an app-specific password, prefer OpenClaw SecretRef or per-run environment injection over plaintext files, avoid shared multi-user machines because the password may briefly appear in process arguments, and use --mark-seen only when you intentionally want messages marked read.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documentation states the skill is read-only, yet it exposes and explains `--mark-seen`, which changes mailbox state by marking messages as read. This mismatch can cause an agent or user to perform unintended state-changing actions under the false assumption that the tool is non-mutating, potentially altering evidence, workflows, or unread status in a live mailbox.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file contradicts itself by saying `myl` is read-only while also documenting a mutating flag, creating unsafe expectations for downstream automation. In agent contexts, such contradictions are dangerous because policy or planner logic may permit the skill in situations where mailbox state must not be modified, leading to silent, unintended changes.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger description is overly broad and includes a catch-all 'and similar' clause, which can cause the skill to activate for loosely related or ambiguous user requests. Because this skill accesses mailbox contents and attachments using configured credentials, unintended invocation can expose sensitive email metadata or content when the user did not clearly request mailbox access.

Session Persistence

Medium
Category
Rogue Agent
Content
export IMAP_PROVIDER='yandex'
```

**Headless / cron / fallback** — create `~/.config/imap-client/credentials`:

```bash
mkdir -p ~/.config/imap-client
Confidence
90% confidence
Finding
create `~/.config/imap-client/credentials`: ```bash mkdir -p ~/.config/imap-client cat > ~/.config/imap-client/credentials <<'EOF' IMAP_USER='you@yandex.ru' IMAP_PASSWORD='app-specific-password-here'

Session Persistence

Medium
Category
Rogue Agent
Content
When neither Method A nor B is convenient (e.g. cron jobs, headless workflows, CI), drop a credentials file at `~/.config/imap-client/credentials`:

```bash
mkdir -p ~/.config/imap-client
cat > ~/.config/imap-client/credentials <<'EOF'
IMAP_USER='you@example.com'
IMAP_PASSWORD='app-specific-password-here'
Confidence
94% confidence
Finding
mkdir -p ~/.config/imap-client cat > ~/.config/imap-client/credentials <<'EOF' IMAP_USER='you@example.com' IMAP_PASSWORD='app-specific-password-here' IMAP_PROVIDER='auto' EOF chmod 600 ~/.config

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal