ClawHub

139mail

Security checks across malware telemetry and agentic risk

Overview

This email skill largely does what it says, but it handles mailbox credentials and private email while disabling IMAP certificate verification and lacking strong action confirmation.

Install only if you are comfortable giving the agent access to read and send email from the configured mailbox. Use an app-specific password, restrict the config file permissions yourself, verify every outgoing recipient and attachment path, and avoid sensitive accounts until IMAP certificate verification is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill clearly describes IMAP/SMTP functionality, which requires outbound network access, yet no permissions are declared. This creates a transparency and policy-enforcement gap: users or the platform may not be properly informed that the skill can transmit email content and credentials over the network.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill implements full message retrieval by UID, including body content and attachment metadata, which materially exceeds the declared inbox/unread listing behavior. This expands access from summary metadata to sensitive email contents, increasing the risk of privacy violations or unauthorized data exposure if the agent invokes the skill more broadly than users expect.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The send path allows attaching any local file path supplied on the command line, but this capability is not disclosed in the manifest. In an agent setting, undisclosed arbitrary file attachment can enable exfiltration of local secrets, tokens, SSH keys, or user documents by emailing them to an attacker-controlled address.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation phrases are broad terms like '发邮件', '收邮件', '查看邮件', '邮箱', and 'email', which are likely to appear in ordinary conversation. That increases the chance of unintended activation, causing the skill to access mailbox data or initiate message composition in situations where the user did not explicitly intend to invoke this specific skill.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill handles highly sensitive data—email bodies, attachments, metadata, and credentials—but the markdown lacks an upfront warning that this information is transmitted to external mail servers and may expose private communications. In an email skill, missing privacy disclosure is more dangerous because users may unknowingly provide account access and transmit sensitive personal or business data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The email-sending function transmits message content and optional attachments immediately once invoked, without any built-in confirmation or disclosure. In an autonomous or semi-autonomous agent environment, this can turn prompt injection, mistaken tool use, or coerced invocation into unintended outbound communication and data exfiltration.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The inbox listing function connects to the mailbox and outputs email metadata without any explicit privacy notice or consent gate. Although listing headers is expected for an email skill, exposing sender, subject, and dates can still reveal sensitive personal or business information if triggered unexpectedly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The full read operation outputs complete message text/HTML and attachment metadata without an explicit disclosure or confirmation. Because email bodies often contain credentials, personal data, financial records, or links, unrestricted readout significantly increases confidentiality risk if invoked by mistake or through adversarial prompting.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal