ClawHub

claw-mail

Security checks across malware telemetry and agentic risk

Overview

This is a coherent email-management skill, but it needs Review because it combines broad mailbox access with under-scoped sending, webhook, credential, and persistence controls.

Install only if you are comfortable granting broad read, send, modify, and automation authority over the configured mailboxes. Use 1Password, Keychain, or environment-backed credentials instead of plaintext or CLI password flags; keep TLS enabled; avoid catch-all rules; review any forwarding, auto-reply, mail-merge, fallback SMTP, or webhook configuration before use; and store heartbeat state or queue files only in private locations because they may contain sensitive email metadata or message content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill exposes significant capabilities—shell execution, file read/write, environment access, and networked email operations—while not declaring permissions in a dedicated way beyond broad allowed tools. That mismatch increases the risk that a user or host system underestimates what the skill can do, especially given it can access credentials, local files, and external mail servers.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented purpose emphasizes email management, but the skill also describes broader local persistence and arbitrary filesystem interaction, including reading attachments from disk, saving attachments to disk, and maintaining retry/state files. Those behaviors materially expand the trust boundary because they enable local data access and persistence beyond what many users would infer from a mail-only description.

Missing User Warnings

Low
Confidence
74% confidence
Finding
The README states that emails can be read and attachments saved to disk, but it does not warn about overwrite risks, unsafe save locations, or the sensitivity of attachment contents. In an email-processing skill, attachment writes are especially risky because email is an untrusted input source and attachments may contain confidential or malicious content.

Missing User Warnings

Low
Confidence
78% confidence
Finding
Documenting folder deletion without any caution about destructive consequences can lead to accidental loss of messages or mailbox structure. In a mail-management context, deletion actions affect potentially important records and should be treated as sensitive, user-confirmed operations.

Missing User Warnings

Low
Confidence
80% confidence
Finding
Mail merge enables bulk outbound email using CSV/JSON recipient data but the documentation omits warnings about privacy, accidental mass-mailing, and misuse of sensitive recipient datasets. In practice, this can amplify mistakes quickly and may expose personal data or trigger spam/abuse outcomes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The configuration explicitly allows plaintext passwords and only notes that a warning is logged, which is insufficient protection for highly sensitive email credentials. If config files are exposed through backups, source control, logs, or local compromise, attackers can gain direct account access and potentially pivot through password reset flows or sensitive correspondence.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The documented webhook action exfiltrates email-derived metadata to an arbitrary external URL, including sender, recipients, subject, account, and matched rule context. In an email-processing skill, this creates a real privacy and data-disclosure risk because rules may forward sensitive business or personal metadata off-platform without strong warnings, allowlisting, or minimization.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation explicitly describes a webhook action that posts email-derived metadata such as subject, sender, message_id, matched rules, and tags to an external URL, but it does not warn users that this can disclose potentially sensitive mail metadata to third parties. In an email-management skill, even metadata can reveal confidential business relationships, incident details, internal workflows, or personal information, so encouraging this feature without a clear disclosure and trust boundary is a real privacy/security weakness.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The example command includes an SMTP password directly on the command line (`--smtp-pass "pass"`), which encourages insecure credential handling. Command-line secrets can be exposed through shell history, process listings, logs, screenshots, and copied documentation, and this example also normalizes sending mail to an external service without any warning about credential exposure or network transmission.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
When a state file is provided, the script writes detailed email metadata including subject lines, senders, message IDs, per-account activity, and error details to disk. This can expose sensitive communications data to other local users, backup systems, logs, or downstream tools that read the shared state file, especially because there is no access-control check, minimization, encryption, or explicit disclosure at the point of persistence.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script emits sender, subject, message IDs, and dates for newly received emails to stdout in both JSON and CLI modes without any privacy warning, redaction, or opt-in gating. In a multi-account email skill, stdout is often captured by parent agents, logs, terminals, process supervisors, or other automation layers, which can unintentionally disclose sensitive mailbox metadata and potentially personal or business information.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code automatically retries delivery through a configured fallback SMTP relay when the account's primary SMTP server fails, and the return structure only exposes this in a programmatic field (`fallback_used`) rather than enforcing any user-facing disclosure or consent at send time. In a multi-account mail skill, this can cause sensitive or regulated email to traverse a different infrastructure than the user intended, changing trust boundaries, logging exposure, compliance posture, and possibly sender reputation handling.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
When IMAP Outbox staging fails or IMAP is unavailable, the function sends the message directly via SMTP and only records that behavior in the returned result (`note`, `stage_error`) instead of guaranteeing a user-visible warning or blocking the send. This defeats the reliability/audit expectation of the Outbox workflow and can transmit mail immediately even when the user may expect deferred, staged, or reviewable delivery.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal