ClawHub

QQ Email with AI

Security checks across malware telemetry and agentic risk

Overview

This QQ email assistant is mostly purpose-aligned, but it needs review because it can read, send, move, delete, and export email while also sending email content to DashScope/Qwen without strong consent or safety controls.

Install only if you are comfortable giving this skill broad QQ mailbox access and allowing AI features to send selected email content to DashScope/Qwen. Use environment variables instead of command-line auth-code arguments, review every send/move/delete operation before running it, avoid bulk deletion based only on AI classification, and revoke the QQ authorization code when you stop using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (20)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The classifier sends sender, subject, and up to 1000 characters of email body to DashScope for analysis, which is a third-party external AI service. Because this involves potentially sensitive email content and the script description does not clearly disclose outbound transmission, users may unknowingly expose private or regulated data outside the mailbox environment.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
This code transmits email subject and body content to a third-party DashScope LLM service for summarization. Email content is typically sensitive, and sending it outside the mailbox provider boundary introduces confidentiality and compliance risk, especially because the skill handles real user inbox data rather than synthetic text.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises sending mail, deleting or moving messages, and downloading attachments, but it does not prominently warn that these actions change mailbox state, store files locally, or send data to external servers. Users may authorize actions without understanding the data-handling and persistence consequences, increasing risk of unintended disclosure, data loss, or unsafe local file writes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The example workflow encourages batch deletion of promotional mail based on classification results without any warning about misclassification or need for review. Because AI classification is imperfect, users could accidentally delete legitimate or important emails at scale, causing avoidable data loss and missed communications.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation recommends bulk deletion of promotional emails but does not mention any review, preview, or confirmation safeguards. In an email-management skill, this can lead to irreversible deletion of legitimate mail that was misclassified by rules or AI, causing data loss and missed business or personal communications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document instructs users to configure an external DashScope API key and use AI features on email bodies without warning that message content may be transmitted to a third-party model provider. Because emails often contain sensitive personal, financial, or corporate data, this omission can cause unintended data exposure, compliance issues, and privacy violations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code transmits full prompt content containing email metadata and body excerpts to an external AI endpoint without any explicit warning, consent, or opt-in in this script's workflow. In an email-management skill, this is especially risky because mailbox contents commonly include personal, financial, business, and confidential information.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code sends email subject and up to 2000 characters of body text to the external DashScope/Qwen service without any explicit user notice, consent flow, or data minimization beyond truncation. In an email-management skill, messages commonly contain sensitive personal, business, financial, or credential-related content, so forwarding them to a third party creates a real confidentiality and compliance risk.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The script can write extracted todos along with email metadata such as subject, sender, and date to an arbitrary output file, but it provides no warning that this output may contain sensitive information. This creates a local data exposure risk if the file is stored insecurely, shared, or written to an unsafe location.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends full email subjects, bodies, sender information, and extracted metadata into multiple AI processing components without any explicit consent prompt, disclosure, minimization, or indication of where that data is processed. In an email-management skill, this is especially sensitive because mailbox contents commonly include credentials, personal data, financial records, legal communications, and attachments-derived context, so silent transmission to AI services can create a significant privacy and compliance exposure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Accepting the mailbox address and authorization code via command-line arguments exposes secrets through shell history, process listings, job control tools, and system monitoring utilities. Because these credentials grant access to a user's email account, disclosure can enable mailbox compromise, data theft, and misuse of the account for sending email.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script fetches and processes email subjects, senders, bodies, flags, and attachment metadata to compute priority, but it provides no explicit privacy notice, consent checkpoint, or minimization controls. In an email-management skill, this is sensitive personal and business data; silent analysis increases the risk of over-collection and unexpected handling of confidential content.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Accepting the QQ mail authorization code via a command-line argument exposes the credential through shell history, process listings, audit logs, and orchestration telemetry. Because this code grants mailbox access, leakage can directly enable unauthorized reading or sending of email and compromise the account.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends raw subject/body content to an external API without any visible consent, warning, or privacy notice at the point of use. That creates a real data-handling vulnerability because users may reasonably expect mailbox operations to stay within QQ mail tooling, not be forwarded to another vendor for processing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The delete and move paths perform irreversible or hard-to-recover mailbox changes immediately based solely on command-line input, with no confirmation, dry-run, or safeguard against accidental targeting. In an agent skill context, this increases the chance that a prompt misunderstanding, bad tool invocation, or maliciously influenced instruction could mass-delete or relocate user email without an explicit user check.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script can write full email search results, potentially including message bodies and other sensitive mailbox data, to any caller-supplied file path with no confirmation, path restriction, or data export warning. In a mailbox-management skill, this increases the risk of unintended local data exfiltration, overwriting sensitive files, or leaving confidential mail content in insecure locations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Accepting the email authorization code via a command-line argument exposes the secret to process listings, shell history, logging systems, and job orchestration metadata on many platforms. Because this skill handles live mailbox access, leakage of the auth code can directly enable unauthorized access to the user's email account or mailbox data.

Ssd 1

Medium
Confidence
88% confidence
Finding
User-controlled email subject/body/sender are embedded directly into the LLM prompt, so a malicious email can include prompt-injection text that manipulates the model's output or causes misclassification. In this specific file, the AI result is only used for categorization rather than tool execution, so the impact is limited compared with agentic systems, but it can still degrade trustworthiness and potentially influence downstream mailbox automation.

Ssd 3

Medium
Confidence
98% confidence
Finding
The AI prompt includes full subject text and substantial body content from emails, and the resulting workflow preserves sender and subject metadata in downstream output. This creates a clear plain-language data exposure path: sensitive content leaves the mailbox boundary for an external model and then may be retained again in exported results, compounding confidentiality risk.

Ssd 1

Medium
Confidence
83% confidence
Finding
The email body is inserted directly into the LLM prompt, so malicious email content can include prompt-injection text that steers the model away from the intended summarization behavior. In this script the model is only used for summarization, so impact is somewhat constrained, but it can still cause misleading summaries, omission of important content, or output manipulation that affects downstream user decisions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal