ClawHub

ClawEmail

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Google Workspace helper, but it gives an agent broad power over email, files, calendars, and documents with limited built-in guardrails.

Install only if you trust ClawEmail and are comfortable connecting the selected Google account. Prefer a dedicated or least-privileged account, protect the credentials and token cache files, review OAuth scopes, and require an explicit preview and confirmation before allowing sends, shares, deletes, calendar changes, or bulk edits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation text says to use the skill proactively for essentially any Google-related request, which is overly broad for a skill that can read mail, exfiltrate files, share documents, and delete resources. Broad auto-triggering materially increases the chance the agent invokes sensitive actions without a clear, task-specific user consent boundary.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents destructive and privacy-sensitive operations such as sending email, sharing files, deleting files, modifying inbox labels, and deleting calendar events without requiring warnings or consent checkpoints. In this context, omission of safety prompts is dangerous because the skill targets highly sensitive personal and business Google Workspace data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script writes a live OAuth access token to a predictable cache file on disk without explicitly restricting file permissions. On multi-user systems or in environments with permissive umask settings, another local process or user may be able to read the token and use it to access the user's Google data for the token lifetime.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal