ClawHub

MailCheck Email Verification

Security checks across malware telemetry and agentic risk

Overview

This skill performs the advertised MailCheck email verification requests, with privacy considerations users should review before sending real email data.

Install only if you are comfortable sending the submitted email addresses, bulk lists, trusted domains, and raw email headers to MailCheck. Use a scoped API key through MAILCHECK_API_KEY where possible, avoid pasting production keys into prompts, and do not submit sensitive or regulated email headers unless your organization has approved that data sharing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation describes use of an API key environment variable and calls to an external MailCheck API, which implies env and network capabilities while no permissions are declared. This creates a transparency and consent gap: users may install or invoke the skill without realizing it can access secrets and transmit data externally.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to send email addresses and bearer-authenticated requests to a third-party API but does not disclose the privacy, data-processing, retention, or consent implications of transmitting personal data off-platform. This can lead to inadvertent sharing of sensitive user/customer email data without adequate notice or policy review, especially in enterprise or regulated environments.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill encourages users to submit email addresses and full email headers for verification and authenticity analysis, but it does not clearly warn that this information will be sent to a third-party API. Email headers can contain sensitive metadata, routing information, internal hostnames, and personal data, so undisclosed transmission can cause privacy, compliance, and confidentiality issues.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This command sends a user-supplied email address to a third-party API, which is a real privacy and data-handling concern because email addresses are personal data in many environments. The code does not provide any user-facing disclosure, consent gate, or minimization controls, so users may unknowingly transmit sensitive contact data to an external service.

Missing User Warnings

High
Confidence
96% confidence
Finding
Bulk verification transmits up to 100 email addresses to an external service in a single request, increasing the privacy, compliance, and accidental data-exfiltration impact compared with single-email verification. Because there is no explicit warning or consent mechanism, a user or calling agent could disclose an entire contact list to a third party without clear awareness.

Missing User Warnings

High
Confidence
97% confidence
Finding
Email headers can contain sensitive metadata, including sender/recipient information, routing details, internal infrastructure names, and authentication results. Sending full headers to a third-party API without explicit warning or redaction support creates a meaningful risk of unintentional disclosure of sensitive operational and personal information.

External Transmission

Medium
Category
Data Exfiltration
Content
```python
import requests

resp = requests.post(
    'https://api.mailcheck.dev/v1/verify',
    headers={'Authorization': f'Bearer {API_KEY}'},
    json={'email': 'user@example.com'}
Confidence
80% confidence
Finding
requests.post( 'https://

External Transmission

Medium
Category
Data Exfiltration
Content
```python
import requests

resp = requests.post(
    'https://api.mailcheck.dev/v1/verify',
    headers={'Authorization': f'Bearer {API_KEY}'},
    json={'email': 'user@example.com'}
Confidence
80% confidence
Finding
requests.post( 'https://api.mailcheck.dev/v1/verify', headers={'Authorization': f'Bearer {API_KEY}'}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
### Node.js
```javascript
const result = await fetch('https://api.mailcheck.dev/v1/verify', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${process.env.MAILCHECK_API_KEY}`,
Confidence
84% confidence
Finding
fetch('https://api.mailcheck.dev/v1/verify', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
### Node.js
```javascript
const result = await fetch('https://api.mailcheck.dev/v1/verify', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${process.env.MAILCHECK_API_KEY}`,
Confidence
84% confidence
Finding
https://api.mailcheck.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
}
    
    try {
      const response = await fetch('https://api.mailcheck.dev/v1/verify', {
        method: 'POST',
        headers: {
          'Authorization': `Bearer ${apiKey}`,
Confidence
86% confidence
Finding
fetch('https://api.mailcheck.dev/v1/verify', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
}
    
    try {
      const response = await fetch('https://api.mailcheck.dev/v1/verify/bulk', {
        method: 'POST',
        headers: {
          'Authorization': `Bearer ${apiKey}`,
Confidence
90% confidence
Finding
fetch('https://api.mailcheck.dev/v1/verify/bulk', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
}
    
    try {
      const response = await fetch('https://api.mailcheck.dev/v1/verify/auth', {
        method: 'POST',
        headers: {
          'Authorization': `Bearer ${apiKey}`,
Confidence
92% confidence
Finding
fetch('https://api.mailcheck.dev/v1/verify/auth', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
}
    
    try {
      const response = await fetch('https://api.mailcheck.dev/v1/verify', {
        method: 'POST',
        headers: {
          'Authorization': `Bearer ${apiKey}`,
Confidence
86% confidence
Finding
https://api.mailcheck.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
}
    
    try {
      const response = await fetch('https://api.mailcheck.dev/v1/verify/bulk', {
        method: 'POST',
        headers: {
          'Authorization': `Bearer ${apiKey}`,
Confidence
90% confidence
Finding
https://api.mailcheck.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
}
    
    try {
      const response = await fetch('https://api.mailcheck.dev/v1/verify/auth', {
        method: 'POST',
        headers: {
          'Authorization': `Bearer ${apiKey}`,
Confidence
92% confidence
Finding
https://api.mailcheck.dev/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal