ClawHub

Last Words

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent purpose, but it can store sensitive final messages and email credentials and may send or reveal them too easily.

Review carefully before installing. Use only test content and a test recipient until debug sending is isolated from real messages, warning emails go only to the user, SMTP credentials are stored in a real secret store or encrypted without plaintext fallback, and status/reset/delivery flows have clearer confirmations and redaction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill invokes shell commands, reads and writes local files, and stores data in SQLite, yet declares no permissions. That creates a misleading trust boundary for users and the host platform, especially because the skill handles sensitive messages and email configuration. In a skill that can persist secrets and trigger outbound delivery, undeclared capabilities materially increase risk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The description centers on delivery after 30 days of inactivity, but the skill also supports immediate sending via debug mode, forced-send behavior, and warning emails at 10 and 20 days. This mismatch can mislead users about when messages may be sent, which is especially dangerous for a 'last words' workflow where accidental or premature delivery has severe personal consequences.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The function claims to send inactivity warnings to the user, but actually sends them to the configured contact, who appears to be the eventual recipient of the final message. In this skill context, that leaks highly sensitive information: it reveals the user's inactivity status and that a posthumous or emergency message has been configured, potentially causing emotional harm, privacy loss, or premature disclosure of the system's purpose.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The main workflow reinforces the same unsafe behavior by treating warnings as if they are user notifications while actually sending them to the configured contact. In a skill designed to deliver final messages to loved ones after inactivity, this mismatch is especially dangerous because it can alert the recipient before the intended threshold and disclose deeply sensitive account state.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The database schema explicitly stores SMTP usernames and passwords, and companion getters return them in plaintext. This creates a credential-compromise risk if the local SQLite file is read by another process, backed up insecurely, or exposed through other parts of the skill. In the context of a 'last words' skill, the data is especially sensitive because it combines intimate message content with account credentials used to send them.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
save_config persists smtp_user and smtp_pass directly into SQLite without protection, normalization, or minimization, making credential theft straightforward for anyone who can access the file. Because get_config later exposes the same values, the code increases both storage and retrieval attack surface for email-account compromise and unauthorized message sending.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code makes a sensitive environment variable (`LAST_WORDS_MASTER_PASSWORD`) part of normal credential handling for SMTP secrets, but this capability is not obviously necessary from the user-facing skill description and is not paired with strong safeguards. More importantly, if the variable is absent or the crypto library is unavailable, the code silently falls back to storing sensitive data in plaintext, creating a real confidentiality risk for highly sensitive end-of-life messaging infrastructure.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The documented chat trigger phrase for configuring email is a natural-language sentence without any explicit command boundary, namespacing, or confirmation step. In an agent/chat environment, overly broad triggers can be invoked accidentally during ordinary conversation, which is especially risky here because the workflow collects sensitive email credentials and can change delivery settings for an automated end-of-life message system.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The message-setting trigger example is also phrased as ordinary speech and lacks guardrails, making accidental activation plausible during casual conversation. In this skill's context, accidental triggering is more dangerous than usual because it can overwrite a user's final message or initiate a highly sensitive workflow involving death-related communications to loved ones.

Missing User Warnings

High
Confidence
97% confidence
Finding
The README advertises automatic sending after inactivity and immediate-send debug behavior, but it does not prominently describe hard safety checks, recipient verification, dry-run behavior, or irreversible consequences. Because the skill sends emotionally sensitive 'last words' to family members, misuse or accidental activation could cause severe psychological harm, reputational damage, and unintended disclosure of personal content.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs users to provide and locally store SMTP authorization credentials through chat, but does not clearly explain retention, exposure risk, or how those secrets are protected at rest. Collecting reusable email credentials in conversational flow is highly sensitive and can lead to account compromise if the local database, logs, or transcripts are accessed.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill exposes a reset command that can clear stored messages and configuration but does not warn users that the action may be irreversible. In this context, deletion can permanently destroy emotionally significant messages and delivery settings, causing serious user harm even if not a classic exploit.

Missing User Warnings

High
Confidence
99% confidence
Finding
Debug mode bypasses the 30-day inactivity safeguard and can immediately deliver the final message with only a flag or external debug state, without an additional confirmation gate. In this product context, that is extremely dangerous because it defeats the core safety control protecting against accidental, premature, or unauthorized disclosure of what may be a last-message or death-trigger communication.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The immediate-send path delivers the stored final message as soon as the command is invoked, with no secondary confirmation, re-authentication, or safety interlock. In a skill whose core function is post-inactivity delivery of sensitive final communications, this bypass can cause irreversible premature disclosure to the configured recipient if triggered accidentally, by another local process, or by misuse of debug mode.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The status command prints sensitive data directly to stdout, including a preview of the final message, delivery contact details, and possibly an audio file path and SMTP endpoint. In this skill's context, those values are exceptionally sensitive because they relate to end-of-life messaging and recipient identities, so disclosure through terminal logs, shared sessions, screenshots, or monitoring systems can expose private communications and operational details.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
`secure_store()` silently stores the SMTP password as plaintext when no master password is configured, despite presenting itself as secure storage. Users or operators may believe credentials are protected when they are not, which is especially dangerous in a skill handling sensitive final communications where account compromise could expose or misuse personal messages.

Ssd 3

High
Confidence
98% confidence
Finding
The skill explicitly directs the agent to collect email SMTP credentials through chat and persist them for later automated sending. This is dangerous because chat transcripts, local databases, or debugging output may expose reusable secrets, enabling takeover of the sender's email account and unauthorized message delivery.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal