ClawHub

Okki Sync Mail

Security checks across malware telemetry and agentic risk

Overview

This is a real email and OKKI CRM automation skill, but it handles live mailbox data, local business files, third-party AI/Discord review, and outbound sending with under-scoped safeguards.

Install only after confirming you want this skill to access a real mailbox, send email, write OKKI CRM records, archive mail locally, read configured business knowledge files, and send email-derived content to OpenRouter or Discord. Use a dedicated mailbox and test OKKI workspace first, narrow allowed read/write directories, disable Discord/OpenRouter paths if not approved, and require dry-run plus explicit human confirmation before any customer-facing send.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (40)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The document explicitly forbids sending example quotation PDFs to real customers, yet nearby command examples still attach files from the `examples/` directory. This contradiction can directly cause operators or agents to send non-customer-specific documents to external recipients, leading to data quality, professionalism, and business-process integrity failures.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The checklist mandates creating a new customer-specific quotation for each outreach, but subsequent examples instruct users to attach example PDFs instead. In an automation skill, contradictory operational guidance is dangerous because users may copy the executable example rather than follow the prose policy, causing repeated improper outbound communications.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The later 'lessons learned' section says example quotation files must never be sent to real customers, but earlier examples still prescribe that exact behavior. This creates a documented unsafe workflow and increases the chance that an agent or human follows the earlier concrete command instead of the later warning.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The documented scope expands from email/OKKI sync into personalized sales outreach and orchestration of quotation-generation workflows. That broadening increases the chance of unintended actions, attachment handling, and disclosure of customer data to other tools or directories beyond what a user would expect from a mail-sync skill.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documentation inconsistently states that status code 4 means successful delivery, while elsewhere correctly says it only indicates SMTP acceptance. This can mislead operators into believing sensitive or business-critical messages were actually delivered, causing bad decisions, missed follow-up, or false compliance/audit assumptions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code explicitly archives full inbound emails, metadata, and attachments listings to local Markdown files, while the described skill purpose emphasizes mail sync with OKKI rather than persistent local archival. This is a security-relevant behavior gap because users may not expect sensitive mail content to be duplicated onto disk, increasing exposure through local compromise, backup leakage, or unintended indexing by other tools.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script invokes an external Python program via shell command construction using untrusted email-derived values such as domain and company name. Because execSync is passed a composed command string, crafted input containing shell metacharacters could lead to command injection and arbitrary command execution under the agent's privileges.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This file implements an AI reply-generation and Discord review workflow that is materially different from the stated OKKI mail sync/SMTP-IMAP automation purpose. Scope drift like this is dangerous because it can introduce undisclosed data flows and automated processing of email content that users or operators would not reasonably expect from the declared skill behavior.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code sends email-derived data to Discord for review even though Discord is unrelated to the advertised OKKI mail sync function. This creates an unjustified third-party data exfiltration path for potentially sensitive business communications, increasing confidentiality and compliance risk if customer or internal email details are exposed outside the intended system boundary.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The integration test implements a substantially broader workflow than the declared OKKI CRM mail-sync capability: it pulls live IMAP mail, performs intent analysis, generates replies, and routes content for Discord review. This mismatch expands the trust boundary and can cause operators to run code with data-processing and outbound-sharing behaviors they did not expect from the skill description.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script sends generated draft content to Discord, which is an external third-party service not disclosed in the skill description. Because email drafts may contain sensitive customer data, this creates an undisclosed data exfiltration path and materially increases privacy and compliance risk.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Intent classification, knowledge-base retrieval, and automated reply generation go beyond simple mail synchronization and introduce autonomous content processing and response drafting. In a mail-sync context, these features increase the risk of unintended data use, inaccurate automated actions, and hidden secondary processing of mailbox content.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
This module adds broad local knowledge-base access and external Python execution that are not aligned with the declared mail/OKKI sync purpose. In an agent skill, undocumented access to a local vault and subprocess execution materially increases attack surface and can expose sensitive local data or enable unintended code execution paths if user-controlled input reaches the command invocation.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code invokes a local Python script via execSync and interpolates the query into a shell command string. Even though arguments are quoted, shell-based invocation with potentially variable input is risky and unnecessary here; combined with the skill's unrelated purpose, it creates an unjustified execution primitive and can lead to command injection or execution of untrusted local scripts if paths or inputs are influenced.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The module recursively reads a hard-coded Obsidian vault under a user home directory, which can expose unrelated personal or business documents to the skill runtime. In the context of a mail automation skill, this is especially dangerous because retrieved content could be incorporated into outbound messages or logs, causing sensitive data leakage beyond the intended mail/CRM scope.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code converts status code 4, which the file itself documents as only 'SMTP accepted', into status_text '成功'/'success' when returning status results. In a mail automation and CRM sync skill, this can mislead operators and downstream systems into believing a message was delivered to the recipient inbox, causing incorrect audit records, bad customer follow-up assumptions, and possible compliance or business-process failures.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The wrapper builds a shell command by concatenating untrusted fields such as to, subject, body, html, attach, and cc into a single string passed to execSync(). Because execSync(args.join(' ')) invokes a shell, an attacker controlling any of these values can inject shell metacharacters and execute arbitrary OS commands, which is especially dangerous in a mail automation skill that handles externally influenced message content.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The reply flow auto-builds CC recipients from the original sender, To, and Cc fields, so a user invoking `reply` may unintentionally send their response to all participants. In an email automation skill, this can leak internal or sensitive content to unintended recipients and violates the principle of least surprise for communication actions.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The skill exposes separate `reply` and `reply-all` commands in its interface, but both paths are implemented equivalently, creating misleading security-relevant UX. In a mail automation context, mismatched command semantics can cause accidental disclosure when operators rely on the safer-looking `reply` command.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The document describes automatic archiving of email bodies, sender/recipient metadata, attachments lists, and OKKI customer-matching data without a clear privacy, retention, consent, or access-control warning. In a mail-processing integration, this materially increases the risk of unauthorized retention of sensitive communications and downstream privacy or compliance violations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes automatic capture, local archiving, and CRM synchronization of inbound and outbound emails, but it does not clearly warn users that this can process sensitive personal, commercial, and credential-bearing content at scale. In this skill context, the omission is more dangerous because the tool is specifically designed to continuously ingest and replicate email data into local storage and OKKI, increasing privacy, compliance, and data-spillage risk if deployed carelessly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README documents destructive commands such as deleting mail without any prominent warning that these actions may be irreversible or may affect production mailboxes. In an email-management skill, this is operationally dangerous because users may run examples directly against live accounts and unintentionally destroy business records or evidence needed for compliance and recovery.

Natural-Language Policy Violations

Medium
Confidence
78% confidence
Finding
The skill documentation prescribes a fixed sender identity and signature format without clear user opt-in, tenant separation, or locale choice. In a mail-sending skill, that can cause impersonation, accidental use of the wrong corporate identity, and unauthorized outbound communications under a predefined business persona.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The checklist instructs users to send emails with a recipient address and multiple attachments, including a quotation PDF and product catalog, but it does not include any verification or confidentiality safeguards before transmission. In this skill context, the workflow handles customer-specific business documents and CRM-linked outreach, so missing checks for recipient validation, attachment sensitivity, and authorization increases the risk of misdelivery, data leakage, and unintended disclosure of commercial information.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document describes a production-like workflow that sends email to a real customer address, attaches files, and writes follow-up notes into OKKI CRM, but it provides no consent, approval, dry-run, or warning language. In an agent-skill context, this normalizes external data transmission and CRM mutation as routine actions, increasing the chance that an automated agent performs them on real records without human review.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal