ClawHub

Email Autopilot

Security checks across malware telemetry and agentic risk

Overview

This email skill is not malicious, but it asks an agent to repeatedly read and act across a very sensitive mailbox without enough scope and control details.

Review before installing. Only use this if you are comfortable granting broad inbox and sent-mail access, including recurring analysis of new and historical email. Before enabling it, confirm which account and folders it can read, turn on automatic briefings and follow-up tracking only if you explicitly want them, review every archive or unsubscribe action, and make sure there is a way to delete learned style data and saved templates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The skill says it can run automatically every morning as part of a briefing, but it does not clearly define enrollment, scope, or whether the user has explicitly enabled recurring mailbox scans. In a skill with full inbox access, ambiguous automatic activation can cause unintended background processing of sensitive email without clear ongoing consent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Automatic follow-up tracking after every sent email is broad and implies continuous monitoring of outgoing and incoming mail activity. Because this can inspect message contents for questions, requests, and replies, it creates persistent surveillance behavior that may exceed what users expect from a single command invocation.

Vague Triggers

Low
Confidence
80% confidence
Finding
Automatic Friday reporting is another recurring execution path that is not clearly bounded by explicit opt-in, scheduling controls, or data scope. In a mailbox-reading skill, even low-risk automation still matters because it repeatedly processes sensitive communications without well-defined consent boundaries.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill relies on reading the inbox and sent-mail history, including historical messages used for voice matching, but the description does not prominently warn users about this broad access before feature use. In an email context, undisclosed access to historical communications increases the risk of users exposing sensitive personal, legal, financial, or business data without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The follow-up tracker describes automatic monitoring of sent emails and detection of future incoming replies, but the skill does not clearly warn users that ongoing mailbox activity will be monitored after setup. Persistent monitoring of communications is sensitive behavior and should not be implied only inside a feature description.

Ssd 3

Medium
Confidence
93% confidence
Finding
Telling the agent to read everything and surface what matters creates a broad natural-language data access path over the user's full inbox. Even without external exfiltration, large-scale summarization of sensitive email can expose confidential information in generated outputs, to the wrong user context, or beyond the principle of least privilege.

Ssd 3

Medium
Confidence
95% confidence
Finding
Mining sent-mail history to learn voice and style requires analyzing potentially large amounts of private correspondence, which may contain confidential facts, names, relationships, and business context. That data can leak into drafts or summaries through overfitting, retrieval, or unintended reproduction of sensitive phrasing.

Ssd 3

Medium
Confidence
94% confidence
Finding
Natural-language search across full email history and thread summarization expands retrieval across all prior correspondence, increasing the chance of surfacing confidential or unrelated sensitive material in response to broad prompts. In an email skill, this is especially risky because users often store contracts, HR matters, financial details, and privileged discussions in email threads.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal