ClawHub

AI Email Agent

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real email automation tool, but it needs review because it can read customer mail, send live replies, share message data with external services, and expose ticket data through an unauthenticated dashboard.

Install only with a test mailbox first. Treat `run` as capable of sending real replies to customers, configure least-privilege IMAP/SMTP accounts, review what customer data may be sent to the LLM and webhooks, avoid exposing the dashboard beyond localhost or add authentication, and pin/review dependencies before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares required binaries and sensitive environment variables and clearly instructs users to run Python commands that will access external services, but it does not declare corresponding permissions/capabilities in a transparent way. This can mislead users and reviewers about the skill's actual access to environment secrets, local files, and network resources, increasing the risk of unintended mailbox access or outbound communications.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The top-level description frames the skill as an email auto-reply agent, but the documented behavior extends into web dashboard hosting, persistent storage of customer communications, webhook-based notifications, spam/blacklist maintenance, and operational tooling. This broader behavior materially changes the security and privacy profile because it processes and stores customer data and exposes additional interfaces that users may not expect from the brief description.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes a fully automated customer-email workflow that can read live mailbox contents and send outbound SMTP replies, but it does not prominently warn users about the risks of processing sensitive customer data or accidentally messaging real recipients. In an LLM-driven email agent, this omission increases the chance of unsafe deployment, privacy violations, and unintended business communications.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The run instructions explicitly enable continuous operation with IMAP/SMTP but do not warn that this mode can automatically send replies to real customers. Because the skill is specifically designed for ecommerce customer support, users may reasonably execute the command as documented and unintentionally trigger unauthorized or incorrect outbound communications at scale.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The quick-start section tells users to run the agent loop but does not prominently warn that doing so will automatically connect to mailboxes, read incoming mail, and send outbound replies. In an autonomous email agent, that omission is dangerous because a user may trigger real-world communications and customer-data processing without fully understanding the consequences.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The classifier sends full email content, sender identity, and subject to an external LLM service, which creates a real privacy and data-governance risk if users have not explicitly consented or if the deployment does not clearly disclose third-party processing. In an email-support context, messages commonly contain PII, order data, addresses, and sensitive complaints, so transmitting them off-system can violate least-privilege and regulatory expectations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code sends customer identifiers and email content to an external LLM in `_llm_generate_reply`, including sender name, email address, subject, and part of the message body. In a customer-support context this commonly includes personal data, order information, and complaint details, so transmitting it without minimization, consent, or clear disclosure creates a real privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The translation/localization path sends reply content to the LLM in `_llm_polish`. Even though this is outbound text, it can still contain customer-related information such as names, ticket numbers, product details, complaint summaries, and order references, causing unnecessary exposure of customer data to a third-party service.

Ssd 3

Medium
Confidence
91% confidence
Finding
The prompt includes full sender name, email address, subject, and body, then asks the model to extract entities and summarize the content, which materially increases exposure of personal and transactional data to the LLM provider. In an e-commerce support mailbox, this data can include order numbers, contact details, refund information, and potentially sensitive complaint details, making over-sharing especially risky.

Ssd 3

Medium
Confidence
86% confidence
Finding
Storing raw LLM output for debugging is risky because the model response may echo or transform sensitive email content, including customer identifiers and order details. If logs, traces, or returned objects are later persisted or exposed to operators, this increases the data-retention and secondary-disclosure surface beyond the original processing purpose.

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai>=1.30.0
pyyaml>=6.0
python-dotenv>=1.0.0
requests>=2.31.0
Confidence
95% confidence
Finding
openai>=1.30.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai>=1.30.0
pyyaml>=6.0
python-dotenv>=1.0.0
requests>=2.31.0
Confidence
98% confidence
Finding
pyyaml>=6.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai>=1.30.0
pyyaml>=6.0
python-dotenv>=1.0.0
requests>=2.31.0
Confidence
90% confidence
Finding
python-dotenv>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai>=1.30.0
pyyaml>=6.0
python-dotenv>=1.0.0
requests>=2.31.0
Confidence
97% confidence
Finding
requests>=2.31.0

Known Vulnerable Dependency: pyyaml — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical
Category
Supply Chain
Confidence
93% confidence
Finding
pyyaml

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
72% confidence
Finding
python-dotenv

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
95% confidence
Finding
requests

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal