ClawHub

RevOps Claw | Go-to-market in simplicity and joy

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed email skill for creating and using a SendClaw agent mailbox, with real external-email risk but no evidence of hidden or malicious behavior.

Install only if you want an agent to operate a SendClaw email identity. Set explicit rules for when it may send or reply, require review for sensitive or first-time messages, store the API key as a secret, and configure webhooks only to endpoints you control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest description materially understates the capability of the skill. It presents the tool as a simple contact/email utility with modest limits, while the body exposes full send/receive/reply/search/webhook-driven inbox functionality, which can mislead users and orchestration systems about the real external-communication and data-access surface.

Description-Behavior Mismatch

Low
Confidence
91% confidence
Finding
The guidance expands the skill from lightweight communication into broader autonomous actions such as registrations, reservations, and inquiries, which exceeds the narrow framing in the metadata. This mismatch can cause an agent to invoke the skill for higher-risk external actions without the user realizing the full scope.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The heartbeat workflow explicitly instructs the agent to fetch unread emails, process them, and potentially reply automatically, but it provides no guardrails around user consent, data minimization, or approval before outbound responses. In an email-handling skill, this creates real privacy and integrity risk because sensitive inbound content may be read, acted on, or answered without the human understanding that autonomous processing is occurring.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The invocation guidance is broad enough to justify sending email for many vaguely related tasks, with no concrete trigger conditions or disallowed cases. In an agent setting, ambiguous activation rules increase the chance of unapproved external communication, social engineering, spammy behavior, or policy bypass through over-eager tool use.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill encourages sending and replying to external emails but does not impose a mandatory confirmation step before first contact or before messages with consequential effects are sent. Because email is an external side effect that can disclose information, commit the user to actions, or create reputational and legal risk, missing consent controls is dangerous in agentic workflows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal