ClawHub

Domain Email Forwarding

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only guide for setting up email forwarding on domains the user owns, with sensitive but disclosed account-recovery implications.

Install only if you intend to change email routing for a domain you own or administer. Before using catch-all or replacing MX records, check whether anyone relies on existing mailboxes, save the current DNS/MX settings, forward only to an inbox you control, and remove or narrow temporary forwarding after recovery.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The skill is framed around broad scenarios like account recovery and temporary forwarding without clear authorization boundaries, which can cause an agent to invoke it in sensitive identity-recovery contexts without confirming the user owns and is permitted to modify the domain and linked accounts. In this context, email forwarding enables receipt of verification codes and password resets, so overbroad triggering increases the risk of facilitating unauthorized account takeover if used for domains or accounts the requester should not control.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to modify forwarding, catch-all behavior, and MX/email-routing settings, but its warnings are scattered and do not prominently state that these changes can reroute or break mail for the whole domain. Because the skill explicitly discusses receiving verification codes and password resets, a user could unintentionally disrupt existing business/personal mail delivery or redirect sensitive messages for all addresses on the domain, especially when enabling catch-all or replacing MX records.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal