ClawHub

Exchange Skills

Security checks across malware telemetry and agentic risk

Overview

This Exchange/Outlook skill is mostly coherent, but it can make broad mailbox changes and its archive command may move mail to Deleted Items without clear warning.

Review before installing. Use this only with an Exchange account where you are comfortable granting full mailbox-management access, keep any .env file private and out of source control, leave SSL verification enabled, and avoid batch archive or mark-read commands unless you have first listed exactly what will be affected. The archive behavior should be fixed or clearly accepted before relying on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares required environment variables and documents reading a local `.env` file, but does not declare corresponding permissions despite clearly requiring access to secrets and local files. This creates a transparency and governance gap: users and orchestrators may not realize the skill can read sensitive credentials from the environment or filesystem before it is invoked.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The notes feature explicitly scans the Inbox and classifies certain messages as notes based on folder name or subject text. That expands data access beyond the declared notes scope into regular email content, which can expose unrelated mailbox data and violate least-privilege expectations for the skill.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The archive command may select 'Deleted Items' / trash as the archive target when it finds folders named like deleted mail, despite presenting the action as archival. This mismatch can cause unintended destructive handling of email and mislead users or calling agents into believing messages are safely archived when they are actually moved to deletion-oriented folders.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger list includes broad terms such as `calendar`, `schedule`, `contacts`, `tasks`, and `notes`, which are common in many unrelated user requests. Overbroad activation can cause the skill to engage in contexts the user did not intend, increasing the chance of unnecessary access to mailbox and calendar data or accidental destructive actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises privacy-sensitive and destructive actions such as reading email content, replying, marking messages as read, and archiving, including batch operations, without any documented confirmation or warning flow. In the context of an Exchange integration, accidental invocation could expose private communications or modify large volumes of mail in ways that are hard to notice or reverse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users to store Exchange credentials in shell configuration or a `.env` file and notes the script will automatically load `.env` from the skill directory, but it does not provide strong warnings about secret exposure risks. Storing long-lived mailbox credentials in plaintext locations increases the likelihood of credential leakage through source control, local compromise, backups, terminal history, or misconfigured file permissions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The batch archive flow can move many emails in one operation with no confirmation, dry-run preview, or count-based warning before the state-changing action executes. In an agent skill context, that increases the chance of accidental mass mailbox modification from ambiguous prompts or mistaken targeting.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The batch mark-read operation changes message state for potentially many emails without confirmation or pre-action preview. In an automated assistant setting, this can hide unread messages and materially alter user workflow based on a mistaken or overly broad command.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal