ClawHub

Proton Bridge Email

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it helps send email through a local Proton Bridge account, but it should be installed only by users who want an agent to handle those email credentials and send messages.

Install this only if you want the agent to send email through your Proton Bridge account. Keep the age key private, delete the temporary plaintext env file after encryption, keep SMTP_HOST set to localhost or 127.0.0.1, and use confirmation or recipient allowlists for automated emails.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill documentation instructs use of shell commands and access to local secret files, but no explicit permissions are declared. That creates a trust gap: an agent or reviewer may not realize the skill can read sensitive files like the age key and encrypted env file and invoke local commands to process them. In this context the capability is expected for the stated purpose, but the lack of declaration still increases the risk of unintended secret access or execution beyond what users consented to.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The script creates an unverified TLS context and uses it for SMTP over SSL or STARTTLS, which disables certificate validation and permits man-in-the-middle interception or credential theft if traffic is redirected or the local trust boundary is broken. Although the intended target is localhost Proton Bridge, this assumption reduces but does not eliminate risk because SMTP_HOST and SMTP_PORT are config-driven and local malware, port forwarding, or misconfiguration could expose credentials and message contents.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document explicitly instructs users to place Proton Bridge credentials, including the bridge password, into a plaintext file before encrypting it. Even if described as temporary, plaintext secrets can be exposed through shell history, editor swap files, backups, filesystem indexing, screenshots, or accidental commits, especially in an automation-focused environment. The skill context increases risk because these are live email credentials for an agent mailbox and could enable unauthorized SMTP/IMAP access if recovered.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal