ClawHub

Email Tool

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real email tool, but it gives an agent broad ability to send mail and read inbox contents with weak in-skill safeguards and a vulnerable mail dependency.

Review before installing. Use only with a dedicated or least-privileged mailbox, prefer app-specific credentials, restrict who can invoke the skill, require manual confirmation before sending email or marking messages read, and upgrade nodemailer to a fixed major version before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill loads live email credentials from environment variables or a local secrets file and keeps them available for later SMTP/IMAP use. In a skill with no documented business justification, handling mailbox credentials materially expands access to sensitive external systems and enables account misuse if the skill is invoked unexpectedly or repurposed.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill can send arbitrary outbound email using stored credentials, with recipient, subject, body, cc, and bcc controlled by input. This creates a direct exfiltration and abuse channel for phishing, spam, data leakage, or unauthorized communications from a trusted mailbox.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill connects to IMAP and searches mailbox contents, then returns message metadata and body text to the caller. In the absence of a clearly stated purpose and access controls, this enables unauthorized access to potentially sensitive email content and provides a straightforward data collection/exfiltration path.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill exposes email sending and inbox search capabilities, including an option to mark messages as read, but does not prominently warn users that these actions can transmit data externally or alter mailbox state. This can lead to unintended disclosure, accidental outbound messaging, or silent modification of read/unread status if a user or agent invokes the skill without understanding the consequences.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manifest exposes powerful email capabilities with minimal descriptions like 'Send an email' and 'Search for emails', which do not constrain when the agent should invoke them or what user confirmation is required. In an agentic context, vague tool descriptions increase the chance of overbroad or unintended invocation, including sending messages or accessing mailbox contents without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This manifest grants outbound email capability without warning that recipients, subject lines, and message bodies will be transmitted to external parties. In an AI skill setting, that makes accidental data exfiltration more likely because the user or orchestrator may not be clearly alerted that sensitive content can leave the system.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The search skill can inspect mailbox contents and optionally mark messages as read, but the manifest does not clearly disclose either the privacy implications of mailbox access or the side effect of modifying read state. This can lead to unintended exposure of sensitive email data and silent mailbox changes that affect users or downstream workflows.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Email can be transmitted immediately with no user-facing warning, confirmation, or secondary approval. That lack of friction increases the chance of accidental or malicious use of the mail capability, especially because the function supports arbitrary recipients and hidden BCC delivery.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The inbox search function retrieves email headers and body text without any warning or consent flow indicating that mailbox contents will be accessed. This makes sensitive data exposure more likely because callers may trigger broad mailbox reads without understanding the privacy impact.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"description": "Send and read emails via Zoho IMAP/SMTP",
  "main": "src/index.js",
  "dependencies": {
    "nodemailer": "^6.9.8",
    "imap-simple": "^5.1.0"
  },
  "openclaw": {
Confidence
83% confidence
Finding
"nodemailer": "^6.9.8"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"main": "src/index.js",
  "dependencies": {
    "nodemailer": "^6.9.8",
    "imap-simple": "^5.1.0"
  },
  "openclaw": {
    "skills": {
Confidence
81% confidence
Finding
"imap-simple": "^5.1.0"

Known Vulnerable Dependency: nodemailer==6.9.8 — 5 advisory(ies): GHSA-9h6g-pr28-7cqp (nodemailer ReDoS when trying to send a specially crafted email); GHSA-c7w3-x93f-qmm8 (Nodemailer has SMTP command injection due to unsanitized `envelope.size` paramet); CVE-2025-13033 (Nodemailer: Email to an unintended domain can occur due to Interpretation Confli) +2 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
nodemailer==6.9.8

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal