ClawHub

Qq Email

Security checks across malware telemetry and agentic risk

Overview

This QQ Mail skill mostly does what it says, but it deserves review because it handles mailbox credentials and can save emailed attachments unsafely.

Review before installing. Use environment variables or a secret manager instead of TOOLS.md for the QQ auth code, confirm recipients and attachment paths before sending, avoid read --save until filenames are sanitized, and treat all downloaded email attachments as untrusted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill exposes capabilities to read local files, access environment-backed configuration, and make network connections to QQ Mail, but it does not declare permissions or warn the user about those operations. That mismatch reduces transparency and can lead to unintended disclosure of mailbox contents, auth codes, or attached files when the skill is invoked.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The tool implements a `mark-read` operation that changes mailbox state, but the manifest only describes send/receive/read behavior. In an agent setting, this expands the skill's authority beyond what a user or orchestrator may expect, enabling silent modification of inbox state and potentially hiding messages from later review or other automations.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
`read_email(..., save_attachments=True)` can write attacker-controlled email attachments to local disk, but this side effect is not disclosed in the skill description. In an agent workflow, undisclosed file writes are dangerous because remote email content can cause persistent local artifacts, overwrite expected files, or stage follow-on attacks if users later open saved content.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README instructs users to place a live QQ Mail authorization code directly into TOOLS.md in plaintext. Storing reusable mail credentials in a shared or workspace-visible config file increases the chance of accidental disclosure to other tools, logs, backups, version control, or collaborators, which could enable unauthorized email access and sending.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users how to send, receive, and read emails, but it does not clearly warn that message content, recipient data, and mailbox metadata are transmitted to a third-party email service and that attachments may be saved locally. In an email skill, this omission is especially important because the handled data is often sensitive and may include personal or business communications.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Attachment filenames are taken from email content and joined directly with `output_dir`, allowing path traversal such as `../../.bashrc` or absolute-path style names to escape the intended directory. Because attachments come from untrusted senders, a crafted email could cause arbitrary file overwrite within the permissions of the running user when `--save` is used.

Ssd 3

Medium
Confidence
98% confidence
Finding
The documentation explicitly recommends storing active email credentials in a plaintext tool configuration file under the workspace. In an agent environment, such files may be broadly readable by other skills, processes, or operators, turning mailbox credentials into a high-value secret that can be reused for reading email, sending phishing messages, or accessing sensitive attachments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal