ClawHub

Expanso email-triage

Security checks across malware telemetry and agentic risk

Overview

This skill matches its email-triage purpose, but it needs review because it handles private email/calendar workflows, sends message content to OpenAI, and advertises automatic account changes without enough user control.

Install only if you are comfortable with email subjects, senders, and body excerpts being sent to OpenAI for classification. Use least-privilege email and calendar credentials, avoid broad inbox runs on sensitive mailboxes, bind the MCP server to localhost or protect it behind authentication, and disable or manually review any automatic calendar or archive behavior before allowing it to modify accounts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The comments make a privacy assurance about credentials staying local while the pipeline explicitly sends full email content to OpenAI for classification. Even if the statement is technically limited to credentials, it is misleading because users may infer their sensitive mailbox data is not leaving the machine, creating a real transparency and data-handling risk.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The file is presented as processing real Gmail/Outlook inboxes, but the implementation only operates on hardcoded sample emails. This discrepancy can mislead operators into trusting the pipeline's behavior, outputs, and security properties in ways that do not reflect the actual implementation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The pipeline sets create_calendar_events to true by default, which normalizes a side-effecting behavior without clear warning or explicit opt-in. In an email-processing context, default action on inferred meeting content can lead to unwanted external changes, calendar pollution, or accidental disclosure through downstream integrations once event creation is implemented.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill transmits email content to an external AI service, but the top-level description does not prominently warn users that potentially sensitive communications will leave the local environment. Because email bodies can contain confidential business, legal, or personal data, inadequate disclosure materially increases privacy and compliance risk.

Missing User Warnings

High
Confidence
97% confidence
Finding
The pipeline serializes full email objects, including subject, sender, and body, into `root.messages` and sends them to `openai_chat_completion`, which transmits potentially sensitive inbox contents to an external LLM service. There is no visible user notice, consent step, minimization, or redaction control in the skill, so private communications could be exposed to a third party unexpectedly.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manifest enables potentially destructive or state-changing actions such as automatic email archival and automatic calendar event creation, but it does not present a strong user-facing warning or confirmation requirement. In an email/calendar context, this increases the risk of unintended data modification, missed messages, or incorrect calendar entries if the skill is triggered with broad scope or misclassifies content.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The manifest declares a remote OpenAI backend for classification and drafting but does not clearly warn that email contents, which may contain sensitive personal or business information, could be transmitted to an external provider. In this skill's context, that omission is more dangerous because the processed data is inherently privacy-sensitive and may include confidential communications, attachments-derived text, or scheduling details.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal