ClawHub

Bee Push Email

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it needs review because it installs a persistent email-monitoring service and automatically copies sensitive OpenClaw credentials into its own service config.

Install only if you intentionally want a boot-starting service that continuously monitors the configured mailbox. Use an app-specific email password, keep auto-reply set to false or ask, prefer explicit channel/target configuration, and review /opt/imap-watcher/watcher.conf because it can contain both the mailbox password and an OpenClaw gateway token.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        log.info(f"Triggering OpenClaw agent: {' '.join(cmd[:6])}...")
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
        log.info(f"OpenClaw agent triggered. Exit code: {result.returncode}")
        if result.stdout:
            log.info(f"OpenClaw stdout: {result.stdout[:500]}")
Confidence
88% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""Run a shell command."""
    is_shell = isinstance(cmd, str)
    print(f"  $ {' '.join(cmd) if isinstance(cmd, list) else cmd}")
    result = subprocess.run(
        cmd, shell=is_shell, capture_output=capture_output, text=capture_output
    )
    if check and result.returncode != 0:
Confidence
96% confidence
Finding
result = subprocess.run( cmd, shell=is_shell, capture_output=capture_output, text=capture_output )

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation says --test with JSON config performs testing only, but validate_config() still auto-reads an OpenClaw gateway token from environment/root config when openclaw_token is absent. In a security-sensitive installer, silently pulling credentials during a purported test-only path violates least surprise and can expose or misuse local secrets in workflows that were expected to be non-installing and non-credential-enriching.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The installer automatically reads a gateway authentication token from OPENCLAW_HOME, the current user's config, and /root/.openclaw/openclaw.json, then stores it into this skill's own config. This cross-component secret harvesting is dangerous because it expands the trust boundary, copies a privileged credential into another service, and enables that service to act on behalf of the OpenClaw gateway.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The script’s header describes only local cleanup, but it also executes a Python helper that performs an external Telegram bot-management action. That hidden network-affecting behavior increases risk because operators may run the uninstaller expecting only local changes, while it can trigger unintended remote state changes via whichever helper script is found on disk.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill advertises broad natural-language triggers such as 'start watcher', 'stop watcher', and troubleshooting phrases in multiple languages in addition to explicit slash commands. That makes accidental invocation more likely, and because this skill can install software, manage a persistent service, and uninstall components, an unintended trigger could lead to impactful administrative actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code accesses standard OpenClaw token locations implicitly and only later prints that a token was found. In a privileged installer, silent credential access without a just-in-time consent prompt reduces transparency and can cause operators to unintentionally authorize downstream message delivery actions.

Session Persistence

Medium
Category
Rogue Agent
Content
---
name: bee-push-email
description: Push email notifications via IMAP IDLE + Himalaya + OpenClaw agent. Detects new emails in real-time and triggers the agent to process and notify the user. Use when: setting up email push notifications, configuring IMAP watcher, installing bee-push-email system, testing email connectivity, checking system dependencies, viewing email-push config, troubleshooting IMAP IDLE watcher, or managing the imap-watcher systemd service. Also handles uninstall/cleanup of the bee-push-email system. Trigger on beemail commands: /beemail, /beemail_start, /beemail_stop, /beemail_status, /beemail_test, /beemail_reply, /beemail_reply_off, /beemail_reply_ask, /beemail_reply_on. Also: start watcher, stop watcher, watcher status, email push status, registrar comandos, comandos no aparecen, beemail no funciona en telegram.
emoji: 📧
requirements:
  bins:
Confidence
91% confidence
Finding
systemd service. Also handles uninstall

Session Persistence

Medium
Category
Rogue Agent
Content
| **Python venv** | `/opt/imap-watcher/` | Isolated env, not system-wide |
| **pip package** | `imapclient` (inside venv only) | Not installed system-wide |
| **Watcher script** | `/opt/imap-watcher/imap_watcher.py` | Copied from skill directory |
| **systemd unit** | `/etc/systemd/system/imap-watcher.service` | Enabled + started, restarts on boot |
| **Config file** | `/opt/imap-watcher/watcher.conf` | chmod 600, owner imap-watcher only |
| **Log file** | `/var/log/imap-watcher.log` | chmod 640, owner imap-watcher |
Confidence
96% confidence
Finding
systemd unit** | `/etc/systemd/system/imap-watcher.service` | Enable

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal