ClawHub

Outlook Reader

Security checks across malware telemetry and agentic risk

Overview

This Outlook email skill mostly matches its purpose, but it needs Review because it can access sensitive mailbox content, save untrusted attachments, and suggests poorly scoped automation such as auto-forwarding financial emails.

Install only if you intentionally want an agent to use your logged-in Outlook profile to search mail and save attachments. Keep searches limited to a specific folder and keyword, avoid the auto-forward and recurring cron examples, and treat downloaded or extracted attachments as untrusted until filenames, paths, and archive contents are checked.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill includes recursive traversal of all Outlook folders and accounts, which substantially expands access beyond the stated task of reading specific emails and downloading their attachments. In the context of an agent skill, this broad mailbox enumeration increases the chance of collecting unrelated sensitive mail, making accidental overreach and privacy violations more likely.

Context-Inappropriate Capability

Low
Confidence
81% confidence
Finding
Automatically extracting ZIP attachments adds a separate file-processing capability that can write many files to disk and unpack untrusted content. In this email-processing context, that creates avoidable risk such as decompression bombs, unsafe file placement, or downstream handling of malicious files.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The automation example proposes forwarding matching emails to an AI assistant, which is a clear data-sharing action outside the stated purpose of local reading and attachment download. Because emails and attachments can contain financial and personal information, automatic forwarding creates a direct exfiltration and privacy risk.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger conditions are broad enough to overlap with ordinary user conversation, increasing the chance that the skill activates when the user did not intend mailbox access or attachment handling. In a skill that touches private email and writes files, accidental invocation is a meaningful security and privacy concern.

Missing User Warnings

High
Confidence
93% confidence
Finding
The skill description omits warnings about reading mailbox data, traversing folders, and saving attachments to local storage, despite handling potentially sensitive personal and financial information. Missing disclosure and consent cues make unsafe use more likely and reduce the user's ability to understand the privacy and file-system impact.

Missing User Warnings

High
Confidence
97% confidence
Finding
The auto-forwarding example lacks any privacy or outbound-data warning even though it would send email content to another recipient or system. In the context of bank statements and billing emails, this omission is especially dangerous because it normalizes silent disclosure of highly sensitive data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script automatically writes email attachments from matched messages to disk with no explicit confirmation, no extension/type allowlist, and only a weak size-based filter. Because email attachments are untrusted input, this can expose users to accidental download of malicious files, overwrite issues, or unsafe handling of attacker-controlled filenames and content.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal