ClawHub

Email Usage

Security checks across malware telemetry and agentic risk

Overview

This email utility does what it says, but it gives an agent sensitive mail access and account-creation power with weak authorization boundaries and unsafe password handling.

Install only if you trust the publisher and intend to let the agent operate your local domain mailserver. Before use, replace command-line passwords with secure prompting or a secret store, remove the unauthenticated SMTP fallback, require explicit approval for mailbox reads and account creation, and limit Docker/mailserver access to authorized operators.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script catches SMTPAuthenticationError and then silently proceeds to send the message anyway, which can result in unauthorized unauthenticated relay attempts on trusted/internal mail servers. This is dangerous because it masks authentication failures, can enable spoofed sending from arbitrary from_addr values, and misleads operators into believing credentialed delivery succeeded when server policy may have been bypassed.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The description broadly says to use the local mail server and directly execute scripts, without defining who may invoke the skill, for which domain, or under what authorization conditions. That ambiguity can cause the skill to be invoked in inappropriate contexts, including sending mail, reading mailboxes, or provisioning accounts without sufficient approval.

Missing User Warnings

High
Confidence
98% confidence
Finding
The SMTP example normalizes providing the mailbox password as a command-line argument. Command-line secrets are commonly exposed through shell history, process listings, logs, terminal capture, and agent telemetry, which can lead to credential theft and unauthorized access to the mail system.

Missing User Warnings

High
Confidence
98% confidence
Finding
The IMAP reading instructions likewise require entering mailbox credentials directly on the command line, exposing sensitive credentials during a privacy-sensitive operation. If leaked, an attacker could read private email, reset accounts via email-based flows, or pivot into broader compromise.

Missing User Warnings

High
Confidence
99% confidence
Finding
The account-creation workflow documents creating new mail accounts with plaintext passwords supplied on the command line and gives no warning about the security or system-state impact. This combines credential leakage risk with a privileged administrative action, making unauthorized account provisioning and later abuse more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script connects with plain SMTP and never negotiates TLS via STARTTLS or uses SMTP_SSL, yet it may send both message contents and credentials using s.login(). On any non-local or misconfigured network path, this exposes sensitive data to interception and credential theft; the skill context explicitly encourages direct execution against a mail server, which increases practical risk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal