ClawHub

Ethermail

Security checks across malware telemetry and agentic risk

Overview

The skill matches its EtherMail purpose, but it asks users to expose a wallet private key to an external signing workflow without clear metadata scoping, so it belongs in Review.

Install only if you specifically want EtherMail access through an Ethereum wallet. Do not use a primary or funded wallet key; use a disposable wallet, inspect the separate walletconnect-agent before use, prefer manual or hardware-backed signing where possible, and run the browser automation in an isolated environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The description uses broad trigger language such as 'use when you need to check or send emails' without clearly limiting when wallet-based login, browser automation, or signing should occur. In an agent ecosystem, vague invocation criteria can cause the skill to be selected in contexts where the user expected simple email handling, increasing the chance of unnecessary wallet exposure or automated auth actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions tell the operator to export a raw PRIVATE_KEY and pass it into a script, but they do not place an immediate, explicit warning at the point of use about the sensitivity of that credential or safer alternatives. This is dangerous because users may paste a production wallet key into shell history or an unreviewed script path, enabling credential theft and full wallet compromise.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal