ClawHub

ClawInboxRAG

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Gmail mailbox search wrapper that can read and locally index mail, so it is sensitive but purpose-aligned.

Install only if you intend to let a trusted local backend read your Gmail account with read-only OAuth and store searchable local indexes or embeddings. Review the repository configured in GMAIL_RAG_REPO, protect OAuth tokens, and confirm where indexed mail data is stored and how to delete it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill claims a read-only, mailbox-retrieval posture, but its documented command surface includes `sync`, which runs maintenance operations (`ingest-primary`, `embed`, `refresh-labels`) against an external Gmail-RAG repository/backend. This mismatch can mislead users and higher-level policy systems into granting trust or invoking functionality that performs state-changing or broader-than-advertised actions, increasing the risk of unauthorized data ingestion, indexing, or backend modification.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The wrapper advertises a read-only local mailbox retrieval capability, but its allowlist includes maintenance and state-changing operations such as ingest-primary, embed, and refresh-labels. That mismatch can let an agent invoke repository-defined commands that modify mailbox-derived data, indexes, or labels, violating user expectations and expanding the skill from retrieval into mutation/admin behavior.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The comment states the CLI commands are run safely, yet the script permits non-read-only maintenance actions. In a security-sensitive wrapper, misleading safety claims increase the chance that reviewers, users, or downstream agents overtrust the interface and invoke actions they would not otherwise permit.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal