ClawHub

Email Best Practices

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only email best-practices skill, with some privacy cautions users should apply when implementing its examples.

Reasonable to install as a reference skill. When using its examples in production, treat email addresses, webhook payloads, IP addresses, locations, API keys, and webhook secrets as sensitive data; minimize what you put in emails and logs, set retention limits, and confirm legal requirements for your jurisdiction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description is overly broad and can trigger on many ordinary email-related requests, causing the agent to invoke this skill in situations where narrower or more appropriate guidance should apply. Over-broad activation increases the attack surface for prompt injection and misrouting because an adversarial or irrelevant task mentioning common email terms could unnecessarily activate the skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guidance recommends including IP address and location details in password reset and security alert emails, but does not warn that email is an insecure channel and that this metadata can itself be sensitive. This can lead implementers to over-share personal or device/location information in messages that may be forwarded, stored long-term, or exposed through mailbox compromise, increasing privacy and compliance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guidance explicitly recommends logging and storing raw webhook events for debugging, but webhook payloads commonly contain user identifiers, email addresses, delivery metadata, and sometimes other operationally sensitive fields. In an email-processing skill, normalizing unrestricted raw-event retention without minimization, redaction, retention limits, or access controls can lead to unnecessary exposure of personal data and increase compliance and breach risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal