ClawHub

Email Smart Reply (AI-Powered)

Security checks across malware telemetry and agentic risk

Overview

The skill matches its email automation purpose, but it needs Review because live customer emails can influence shell execution and sensitive email content is sent or stored without strong safeguards.

Install only after reviewing the shell-command issue in kb-retrieval.js and the data flows. Use a dedicated mailbox, restricted Discord channel, limited bot permissions, least-privilege API keys, dry-run testing, redaction/minimization for email content sent to third parties, and clear cleanup rules for drafts, reviews, logs, and test reports before enabling live or scheduled processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (12)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to print credential-bearing files (`.env` and Discord config) directly to the terminal without any warning about secret exposure, redaction, or safer alternatives. This can leak IMAP/SMTP credentials or bot tokens into shell history, terminal scrollback, screen recordings, shared sessions, or support logs, which is especially risky in an email automation skill that handles live messaging infrastructure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The description omits an explicit privacy warning even though the workflow sends email content to third-party services for LLM intent classification and to Discord for human review. In a B2B email context, messages may contain customer data, order details, technical information, or confidential business communications, so undisclosed transmission materially increases privacy, compliance, and data-handling risk.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The environment variable examples include sensitive credentials such as API keys, bot tokens, and mailbox passwords without a warning about secure secret storage. This can lead users to place long-lived credentials in insecure local files or repositories, increasing the chance of credential leakage and unauthorized access to mail, LLM, or Discord systems.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The delivery-chase intent includes broad English and Chinese keywords such as "when" and "什么时候", which commonly appear in normal business emails outside shipment follow-up contexts. In an auto-reply workflow, this can misclassify ordinary inquiries and trigger the wrong draft or routing path, reducing reliability and potentially sending misleading customer communications.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The complaint intent uses very generic terms like "issue", "problem", and "wrong", which appear in many routine support and sales conversations. Because complaint handling has urgent escalation behavior, attackers or normal users can easily trigger unnecessary escalation or suppress more appropriate handling, creating operational noise and misrouting sensitive customer messages.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The technical support intent contains highly generic terms like "how to", "error", and the Chinese term "使用", which can appear in a wide range of legitimate sales and product questions. In this skill, misclassification can cause inappropriate knowledge-base retrieval and low-quality automated replies, increasing the chance of incorrect responses being drafted to external customers.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The module sends draft email body content, sender information, subject, and intent metadata to a third-party platform (Discord) for review. In a B2B email workflow, those drafts may contain customer data, sensitive business communications, or regulated information, so forwarding them externally without explicit consent, minimization, or policy controls creates a real confidentiality and privacy risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This integration test pulls live emails from IMAP and persists pipeline results to disk, which can expose sensitive customer content, addresses, and business communications in local artifacts. In the context of a B2B sales email automation skill, handling real customer email data is expected for functionality, but storing it in test reports without minimization, redaction, or explicit safeguards creates a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
In live mode, the script sends generated drafts derived from real customer emails to Discord, which is a third-party external service and may receive sensitive business or personal data. Because this skill processes inbound sales and support-style emails, drafts can contain customer identifiers, commercial terms, and technical details, making unsignaled external transmission materially risky.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code sends raw email subject and body content to OpenRouter, which is an external third-party LLM provider. In a B2B sales context, inbound emails can contain personal data, customer contacts, pricing discussions, contracts, or other sensitive business information, so this creates a real data exposure and compliance risk even if it is part of the intended feature.

Ssd 1

Medium
Confidence
97% confidence
Finding
The email subject and body are interpolated directly into the LLM prompt as untrusted text, so a malicious sender can include prompt-injection instructions that attempt to alter classification, fabricate JSON, or otherwise subvert downstream automation. Because this skill is specifically designed to classify external inbound emails, the attacker-controlled input is first-class and the risk is elevated by the deployment context.

External Transmission

Medium
Category
Data Exfiltration
Content
Classification:`;

  try {
    const response = await fetch('https://openrouter.ai/api/v1/chat/completions', {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
Confidence
93% confidence
Finding
fetch('https://openrouter.ai/api/v1/chat/completions', { method: 'POST'

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal