ClawHub

EngageLab Email

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent EngageLab email sender, but it needs review because its helper script can mishandle API credentials and it lacks strong safeguards before live sending or tracking emails.

Install only if you intentionally want an agent to send email through EngageLab. Use sandbox mode first, fix or avoid the provided sender script before using real credentials, use a restricted rotatable API key, and manually confirm recipients, message content, attachments, tracking settings, and live-send status before any real email is sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The invocation description is broad enough that an agent may select this skill for generic email-related tasks without strong user intent confirmation. In practice, that can lead to over-invocation of an externally connected skill that sends message content and recipient data to a third-party service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description explains email sending features but does not warn that recipient addresses, subject lines, body content, attachments, and template variables may be transmitted to an external provider. This omission can cause inadvertent disclosure of sensitive or regulated data to a third party without informed user consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill exposes open, click, and unsubscribe tracking options without warning about privacy, consent, and compliance implications. Tracking pixels and click telemetry can collect recipient behavior, which may violate user expectations or legal requirements if enabled silently.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal