ClawHub

email-reporter

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims by emailing reports, but unsafe command execution and weak credential handling make it something users should review before installing.

Install only after review or patching. Prefer environment or a secret manager over the plaintext config file, avoid msmtp mode until the shell command is fixed, use app-specific SMTP credentials, and only run it after checking the exact recipient and report contents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f.write(msg.as_bytes())
    
    cmd = f'cat {temp_file} | msmtp -t {to_addr}'
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
    
    return result.returncode == 0
Confidence
99% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documents capabilities to read files, write files, access environment variables, and invoke shell/Python, but it declares no explicit permissions or trust boundaries. This can cause agents or operators to invoke a tool with broader access than expected, increasing the chance of unintended data exposure or command execution during report generation and email sending.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill is designed to handle SMTP credentials and load them from environment variables and a local config file, which expands its access to sensitive secrets beyond simple report formatting. In an agent context, this creates a reusable credential-handling surface that can expose mail account secrets through local compromise, accidental disclosure, or downstream helper misuse.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The setup wizard persistently writes SMTP credentials, including the password, to ~/.email_reporter.conf in plaintext. That creates a straightforward credential-exposure risk for any local user, process, backup system, or malware able to read the home directory, and the file is written without permission hardening.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The SMTP path will read and email any local file path supplied as `attachment_path`, not just generated report PDFs as described by the skill metadata. In an agent environment, this can be abused to exfiltrate sensitive local files such as configuration, credentials, or other workspace data off-system.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The msmtp path repeats the same arbitrary-file attachment behavior, allowing any existing local file to be attached and sent. Because this skill's purpose is report delivery, broad attachment support increases the risk of unauthorized data exfiltration beyond the documented scope.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description presents the skill as a generic email reporting tool without clear activation constraints, recipient restrictions, or data-sensitivity guidance. In an agent ecosystem, broad descriptions can cause over-invocation on arbitrary reports, including sensitive content, leading to unintended exfiltration via email.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation encourages sending reports and attachments externally but does not warn that report contents, embedded images, tables, or generated PDFs may contain sensitive data. Because the stated purpose is outbound email delivery, the missing warning materially increases the risk of accidental exfiltration of confidential agent outputs.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The configuration examples instruct users to store SMTP credentials in environment variables and especially in a plaintext config file, but provide no guidance on secret protection, file permissions, rotation, or safer secret stores. Exposed SMTP credentials can be reused to access mail infrastructure, send phishing messages, or exfiltrate additional data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The tool collects an SMTP password interactively and writes it to disk without a clear warning that the secret will be stored persistently. This increases the chance of unsafe operator behavior and silent credential leakage because users may assume the password is used only for the current session.

Session Persistence

Medium
Category
Rogue Agent
Content
### Option 2: Config File

Create `~/.email_reporter.conf`:

```json
{
Confidence
84% confidence
Finding
Create `~/.email_reporter

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal