ClawHub

Email Marketer

Security checks across malware telemetry and agentic risk

Overview

This is a local email-marketing logging helper that clearly stores and exports user-entered campaign notes, with privacy caveats but no evidence of malicious behavior.

Install only if you are comfortable with a shell-based local CLI that records what you type into plaintext files under ~/.local/share/email-marketer and can export those records. Avoid entering customer-identifying, regulated, or highly confidential campaign data unless your device and backups are appropriately protected.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly logs all entries locally and supports export/search across stored data, but it provides no warning about privacy, retention, access controls, or the sensitivity of marketing inputs. In context, email campaign data can include customer segments, performance metrics, prompts, costs, and strategic plans, so silent persistence and export increase the chance of unintended disclosure or mishandling.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script persistently stores raw user inputs under ~/.local/share/email-marketer without warning, consent, retention limits, or redaction. In this skill context, users may enter campaign plans, customer segmentation notes, email copy, or other commercially sensitive or personal data, which can later be recovered from local files by other local users, malware, backups, or support tooling.

Ssd 3

Medium
Confidence
95% confidence
Finding
User-supplied content is logged in plaintext and then surfaced through export, search, recent, and status workflows, increasing the chance of unintended disclosure. In an email-marketing skill, this is more dangerous because inputs may contain audience segments, performance data, draft campaign messaging, or other confidential business information that becomes trivially discoverable and exfiltrable from local storage.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal