ClawHub

Email

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward email-sending skill, but users should carefully review recipients and attachments because it can send local files outside the system.

Install only if you want the agent to send real emails through an account you configure. Prefer a dedicated sending account or app password, keep email_config.json out of version control, and require a final review that names the recipients, subject, body summary, and every attachment path before sending.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation instructs users to supply SMTP credentials via environment variables or a local config file and references reading attachments from disk, but the skill metadata does not declare corresponding permissions. This creates hidden access to sensitive data sources and weakens policy enforcement, making it easier for a caller to invoke email sending with local files or secrets without explicit review.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill can attach any local file path provided to it and transmit that file over email, which creates a clear data-exfiltration path if an upstream agent, prompt injection, or untrusted user input controls the attachment list. Although attachment support is consistent with an email-sending tool, there are no path restrictions, allowlists, workspace boundaries, or consent checks to prevent sending sensitive local files such as SSH keys, cloud credentials, or application secrets.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README demonstrates natural-language commands that can send real emails and attachments to arbitrary recipients, but it does not clearly warn users that these actions are externally side-effecting and may transmit sensitive data. In an agent context, this increases the risk of accidental outbound communication, data leakage, or misuse when users treat the examples as harmless chat interactions rather than real message delivery operations.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The invocation examples are broad natural-language requests like 'Email the report.pdf file to team@company.com' without requiring confirmation, recipient validation, or attachment scoping. In an agent setting, this increases the chance of unintended exfiltration of sensitive content to external recipients because a loosely phrased prompt could trigger outbound transmission.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The feature list advertises sending emails with attachments across external providers but does not clearly warn users that message contents and local files may be transmitted outside the workspace. In agent workflows, lack of an explicit outbound-data warning materially increases the risk of accidental disclosure of confidential text, documents, or metadata.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends email and optional attachments directly once called, with no user-facing confirmation or disclosure that content and files are leaving the system. In an agent setting, this increases the risk of silent exfiltration of sensitive data through normal-looking email functionality, especially when combined with arbitrary attachment support.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly encourages emailing arbitrary files to arbitrary recipients, including multiple attachments, but does not include any concrete warnings about sensitive data handling, authorization, or exfiltration risk in an agentic environment. In the context of an email automation skill, this increases the chance that users or downstream agents will send internal reports or local files to unintended recipients without adequate validation or review.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal