ClawHub

Smart Email

Security checks across malware telemetry and agentic risk

Overview

This is a coherent email automation skill, but it should be installed only by users comfortable giving it mailbox access and allowing configured AI and notification services to process email content.

Install this only if you trust the publisher with access to the mailboxes you configure. Expect full emails, attachments, logs, and a tracking database to be stored under the Smart Email data directory, and expect email content or inline images to be sent to the AI provider or subagent mode you configure. Use a dedicated mailbox/app password if possible, choose trusted AI endpoints and delivery channels, review the cron jobs before enabling them, and avoid running it from directories containing untrusted .env files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (26)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares powerful capabilities in practice—reading environment variables, reading/writing files, using the network, and invoking shell commands—without any explicit permission declaration or user-facing disclosure. In this context, the skill handles email accounts, local archives, API keys, and scheduled automation, so the absence of declared permissions undermines informed consent and increases the risk of silent data access, exfiltration, or destructive actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The public description emphasizes email retrieval, AI triage, local archiving, and forwarding, but the skill also performs additional sensitive actions such as installing cron jobs, deleting archives and databases, retrieving stored mail by ID, and sending digest/error messages. This mismatch is dangerous because users may authorize the skill for one workflow while not realizing it can persist itself, expose archived content later, or remove stored data.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill can create persistent host-level OpenClaw cron jobs, which extends its behavior from email management into local task automation and persistence. In an agent-skill context, this is security-relevant because it can establish recurring execution without a clear trust boundary or explicit high-friction consent in the code path.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The CLI exposes destructive deletion commands that recursively remove mail archives, outbox state, logs, and database data. In a skill expected to manage email, this broad local deletion capability increases blast radius and could cause irreversible data loss if invoked accidentally or by a malicious workflow.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises local archiving as a feature but does not clearly warn that full email bodies and attachments are stored on disk. Because emails commonly contain sensitive personal, financial, or business data, users may enable the skill without understanding the privacy and retention implications.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README promotes automatic forwarding of urgent emails and summaries to Telegram, Feishu, DingTalk, and similar services without clearly warning that potentially sensitive message content is transmitted to third-party platforms. This can expose confidential communications outside the mailbox environment, especially if notifications include message excerpts or attachment-derived summaries.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The configuration guidance instructs users to place mailbox credentials and third-party AI API keys into environment files, but it does not clearly warn about the sensitivity of those secrets or the trust boundary created by sending email content to external AI providers. This increases the chance of unsafe secret handling and unintentional disclosure of mailbox data to external services.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly promotes local archiving of original emails and attachments but does not warn users that this creates a persistent local store of sensitive communications and files. In the context of an email-management skill, this increases privacy, retention, and endpoint-compromise risk because users may unknowingly keep confidential data indefinitely on disk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README advertises sending urgent emails and digests to third-party messaging platforms without warning that email content may be disclosed outside the original mailbox environment. This is dangerous because sensitive email subjects, bodies, or attachments could be forwarded to Telegram, DingTalk, Feishu, or similar services with different security and compliance properties.

Missing User Warnings

High
Confidence
98% confidence
Finding
The README describes AI-based analysis and image understanding of emails without warning that email bodies, screenshots, photos, and attachments may be sent to external AI providers for processing. For an email skill, this is particularly sensitive because users may expose confidential correspondence, personal data, and documents to remote model vendors or compatible API endpoints.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly advertises automatic forwarding of email content, images, and attachments to third-party channels such as Telegram, DingTalk, WeCom, and Feishu, but does not warn about privacy, confidentiality, or accidental disclosure risks. Because email often contains sensitive personal, business, and credential-bearing content, automatic external transmission materially increases the likelihood of data leakage.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill stores raw .eml files, markdown conversions, attachments, logs, and a tracking database on disk, but does not disclose the sensitivity of this local archive or the need to protect it. In a mail-processing skill, local storage can accumulate authentication artifacts, personal data, contracts, invoices, and other confidential records, making the host a high-value target.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide encourages enabling multimodal analysis of email images but does not clearly disclose that inline image content from emails will be transmitted to an external AI provider for processing. In an email-management skill, this can expose sensitive personal or business information contained in screenshots, scans, invoices, or embedded graphics, making the omission a real privacy/security issue.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This code prepares an external analyzer using provider credentials and later sends email bodies and attachment metadata for AI analysis, but this path does not present a clear user warning or consent checkpoint. Because emails can contain highly sensitive personal or business information, silent transmission to third-party AI services creates a serious privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The batch-analysis path reads locally stored email content and attachment metadata and sends them to external AI providers without a visible privacy notice or per-run confirmation. In this skill's context, the data is especially sensitive because it aggregates multiple mailboxes and may include attachments and inline images.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The analyzer sends full email content and, when enabled, inline images to a third-party OpenAI-compatible API for processing, but the code shown provides no explicit consent flow, warning, redaction, or policy gate before transmitting potentially sensitive data. In an email-management skill, this is especially risky because messages may contain personal data, credentials, contracts, invoices, or confidential business information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code sends full email fields and optionally inline image attachments to Anthropic for analysis, but there is no consent gate, disclosure, minimization, or policy enforcement in this component. Because email bodies and images commonly contain sensitive personal, business, or credential-related content, forwarding them to a third-party AI service can create a real privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code globally monkey-patches builtins.print so arbitrary output from this process is silently persisted to disk via the logger. In a skill that handles email content and likely processes credentials, tokens, message bodies, and debugging output, this increases the chance that sensitive data is captured without clear user awareness or per-call consent.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The code persists email bodies, headers, attachment metadata, and attachment files to local disk, which can expose highly sensitive mailbox contents if the storage path is readable by other local users, backed up insecurely, or left unencrypted. In the context of an email-management skill, this materially increases privacy and data-exposure risk because the stored data may include credentials, invoices, personal data, and internal business communications.

Ssd 1

High
Confidence
97% confidence
Finding
Untrusted email fields (sender, subject, body) are interpolated directly into the prompt, so a crafted email can include instruction-like text that manipulates the model's output despite the surrounding policy prompt. Because downstream logic trusts the model's JSON to decide urgency and summaries, an attacker can suppress alerts, create false urgent alerts, or poison summaries, which is particularly dangerous in an automated email triage and notification workflow.

External Transmission

Medium
Category
Data Exfiltration
Content
SMART_EMAIL_LLM_PROVIDER=openai  # openai | anthropic | subagent

# OpenAI 配置
SMART_EMAIL_OPENAI_API_URL=https://api.example.com/v1
SMART_EMAIL_OPENAI_API_KEY=xxx
SMART_EMAIL_OPENAI_MODEL=gpt-4o-mini
Confidence
81% confidence
Finding
https://api.example.com/

Credential Access

High
Category
Privilege Escalation
Content
env_paths = [
            Path.home() / ".openclaw" / ".env",
            Path.cwd() / ".env",
            WORKSPACE_DIR / ".env"
        ]
        for env_path in env_paths:
            if env_path.exists():
Confidence
76% confidence
Finding
.env"

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai>=1.0.0
requests>=2.28.0
python-dotenv>=1.0.0
Confidence
93% confidence
Finding
openai>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai>=1.0.0
requests>=2.28.0
python-dotenv>=1.0.0
Confidence
95% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai>=1.0.0
requests>=2.28.0
python-dotenv>=1.0.0
Confidence
90% confidence
Finding
python-dotenv>=1.0.0

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal