ClawHub

smart asistant mail

Security checks across malware telemetry and agentic risk

Overview

This Gmail skill is mostly purpose-aligned, but it needs Review because it can automate mailbox changes, persist learned routing behavior, and expose an API key in setup output.

Install only if you are comfortable granting a skill Gmail-management authority. Before enabling automation, review or disable heartbeat spam cleanup, auto-archive, and learned-rule promotion; require dry-runs and confirmations for trash/archive/batch changes; mask API keys during setup; verify the gog/gogcli dependency; and disable the bootstrap hook if you do not want this skill affecting future sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly uses shell execution, environment variables, and local file reads/writes, but does not declare permissions. That creates hidden capability expansion: a caller may invoke what appears to be an email skill without realizing it can modify local files, persist data, and run commands in the host environment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill description frames this as an email agent, but the documented behavior also initializes workspace state, writes learning/error logs, injects budget context via hooks, and checks authentication/environment state. This mismatch reduces informed consent and can cause the skill to be granted trust and access beyond what a user expects from a normal email helper.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The self-improvement section allows automatic modification of routing rules and promotion of learned patterns, including cases where rules can be promoted without asking the user. In an email-management context, self-modifying classification logic can silently change future handling of messages, causing misrouting, concealment of important mail, or durable policy drift from poisoned inputs.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The hook documentation shows the skill injects budget state, active mode, and pending 'learnings' at session bootstrap, which materially extends behavior beyond the advertised Gmail-focused scope. Hidden bootstrap context injection can influence downstream agent decisions in ways users do not expect, creating a trust-boundary violation and increasing the risk of prompt/context manipulation across all sessions.

Context-Inappropriate Capability

Medium
Confidence
74% confidence
Finding
The initializer checks for SAFE_BROWSING_API_KEY even though this script's visible purpose is Gmail setup. Requesting or normalizing unrelated secrets expands the skill's privilege footprint and can condition operators to provide extra credentials that may later be used by other components.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Telling the system to use this skill for "ANYTHING email-related" creates extremely broad invocation scope for a skill that can read, label, move, trash, draft, automate, and modify persistent state. Over-broad triggers increase the chance of accidental activation for ambiguous requests and therefore unintended access to mailbox data or unintended email actions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Generic triggers like "email," "inbox," and "draft" are common conversational terms and can cause the skill to activate in contexts where the user did not intend mailbox operations. Because this skill supports destructive and persistent actions, ambiguous invocation makes accidental data exposure or mailbox modification more likely.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The heartbeat workflow describes unattended processing of inbox and spam messages, including direct deletion of spam, without any visible consent, confirmation, audit trail, or warning about privacy and destructive effects. In an email-management skill, this is materially risky because it normalizes autonomous access to message contents and irreversible actions on potentially legitimate mail, which can cause data loss or missed communications.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script prints raw environment variable values such as GOG_ACCOUNT, EMAIL_BUDGET_USD, NOTIFY_CHANNEL, and SAFE_BROWSING_API_KEY to stdout. Console output is commonly captured in logs, CI systems, terminals, or support bundles, so this can leak secrets or sensitive identifiers beyond the intended audience.

Credential Access

High
Category
Privilege Escalation
Content
description: "Presupuesto mensual en USD (default: 1.00)"
      env_optional:
        - name: GMAIL_CREDENTIALS_PATH
          description: "Fallback: ruta a credentials.json de Gmail API"
        - name: NOTIFY_CHANNEL
          description: "Canal de notificaciones (telegram/slack/whatsapp)"
        - name: SAFE_BROWSING_API_KEY
Confidence
80% confidence
Finding
credentials.json

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal