ClawHub

Mail Invoice Archiver

Security checks across malware telemetry and agentic risk

Overview

The skill has a legitimate invoice-archiving purpose, but it needs Review because it handles mailbox credentials while automatically downloading invoice links from emails and converting some attachments with local tools.

Install only if you are comfortable granting this skill access to the target mailbox and local invoice archive. Prefer system credential storage or environment variables, avoid plaintext config secrets, set a narrow trusted domain list for invoice downloads, and use the no-follow-links option or a sandboxed environment when processing untrusted mail attachments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not converter:
        return None
    try:
        subprocess.run(
            [converter, "--headless", "--convert-to", "pdf", "--outdir", str(local_path.parent), str(local_path)],
            check=True,
            stdout=subprocess.DEVNULL,
Confidence
89% confidence
Finding
subprocess.run( [converter, "--headless", "--convert-to", "pdf", "--outdir", str(local_path.parent), str(local_path)], check=True, stdout=subprocess.DEVNULL

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares substantial capabilities in practice—environment access, file read/write, network use, and shell command execution—yet does not declare corresponding permissions. This weakens review and consent boundaries because a user or platform may underestimate the skill's effective access, especially given it handles mailbox contents and credentials.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose is mailbox invoice archiving, but the skill also performs sensitive credential management and references Feishu integration/token exchange that are not clearly within that core purpose. This mismatch is dangerous because users may authorize the skill expecting simple mail processing while it also handles secrets, persists them in some modes, and contacts additional services.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
Feishu credential handling introduces an unrelated secret domain and external integration into a skill whose stated function is mail invoice archiving. Even though the document recommends safer storage locations, the added integration increases attack surface, creates unnecessary secret exposure pathways, and may surprise users who did not intend to grant chat-delivery or tenant-token capabilities.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
This skill goes beyond passive mail archiving and actively opens untrusted attachments with local office-conversion software. In the context of processing arbitrary invoice emails, that behavior is risky because email attachments are attacker-controlled and document parsers are a common exploitation target.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The configuration writer serializes the mailbox authentication secret directly into config.toml via the auth.secret field. Persisting reusable mailbox credentials in plaintext on disk increases the chance of credential theft through local compromise, backups, logs, or accidental file disclosure.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This function reads arbitrary macOS Keychain entries by service name and returns both account and password, which gives the skill direct access to host-stored credentials beyond what is justified by the stated invoice-archiving purpose. In an agent setting, this can expose unrelated secrets if the service parameter is influenced by other code or abused to query unexpected keychain items.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This module exposes generic read/write access to the system credential store even though the skill is described as mailbox and invoice archiving. In this context, the ability to access OS-managed secrets materially expands the skill's privilege boundary and could be abused to harvest or overwrite unrelated credentials if other parts of the skill can influence the service name or call paths.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The file invokes platform-specific secret-management facilities via macOS security and Windows Credential Manager APIs, which exceeds simple invoice processing and mailbox archiving. Because this code can directly read and write persisted secrets on the host, compromise or misuse of the skill would have impact beyond mailbox synchronization and could affect other applications' credentials.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code automatically follows invoice-like URLs extracted from email bodies and downloads their contents. Because emails are untrusted input, this creates an SSRF-like primitive and can be abused to make requests to internal services, cloud metadata endpoints, or attacker-controlled hosts, as well as trigger unexpected outbound traffic and malicious file retrieval.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code saves the authentication secret to disk without any visible warning, consent, or safeguard, which can mislead users into believing a safer storage mechanism is being used. In a mail-archiving skill that accesses invoice mailboxes, compromise of this secret can expose sensitive email and financial documents.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code silently accesses the user's macOS Keychain and extracts credentials without any user-facing warning, consent prompt, or disclosure in the implementation. Even if used for legitimate mailbox sync, undisclosed credential harvesting is risky in an agent skill because users may not expect local secret-store access and cannot make an informed trust decision.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal