ClawHub

Email Assistant

Security checks across malware telemetry and agentic risk

Overview

This email assistant is mostly purpose-aligned, but it needs review because it can change Gmail messages and handles mailbox credentials/tokens in risky local ways.

Install only if you are comfortable granting mailbox access. Before use, remove or guard the Gmail demo code that automatically marks a message, avoid passing passwords on the command line, use revocable app passwords or least-privilege OAuth, keep token and exported email files private, and consider replacing pickle token storage with a safer protected credential format.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The example instructs users to pass an email app password directly on the command line, which can expose the secret through shell history, terminal logging, process listings, and monitoring tools. Even though it uses an app password rather than the main account password, it is still a valid credential that could allow mailbox access if disclosed.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This sample command again places the mailbox authorization code/password directly in a CLI argument, creating unnecessary exposure in shell history and potentially in process inspection output. Because the document is instructional, users may copy it verbatim and unknowingly leak active credentials.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The Outlook/Hotmail example repeats the same unsafe pattern of passing a password as a command-line parameter, which may be captured by shell history, process lists, or system telemetry. The presence of surrounding security advice does not eliminate the immediate leakage risk in the example itself.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The OAuth credentials object is serialized to a local token.pickle file without any permission hardening, secure storage mechanism, or warning to the user that this file grants ongoing Gmail access. If the host is multi-user, backed up insecurely, or the working directory is exposed, theft of this token can enable unauthorized mailbox access within the granted scopes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script accepts the email password via a command-line argument, which can expose credentials to other local users through process listings, shell history, audit logs, or job runners. In this skill's context, the secret is a live IMAP password or app token for a mailbox, so accidental disclosure can directly enable mailbox access and persistence until the credential is rotated.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script exports email-derived fields such as summaries, descriptions, and subjects directly into an ICS file and a companion JSON debug file on disk. Because email content may contain sensitive personal or organizational data, this creates a confidentiality risk through unintended local persistence and broader exposure if those files are later synced, shared, or opened by other applications.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal