ClawHub

Email Backup

Security checks across malware telemetry and agentic risk

Overview

This skill openly backs up files by emailing archives, but it gives broad file-export power with weak safeguards and unreliable secret-cleaning guidance.

Install only if you intentionally want a tool that can archive local folders and send them through QQ email. Use --no-send first, inspect the archive contents, verify the recipient, and avoid broad paths such as ~/.openclaw, home directories, credential stores, SSH keys, browser profiles, and workspaces with secrets. Do not rely on --clean to remove sensitive data unless the cleanup bug is fixed and tested; protect and rotate the QQ SMTP authorization code if it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises capabilities to read files, write files, access environment variables, and invoke shell-like installation/testing flows, but the metadata declares no permissions or env requirements. This undermines user consent and review because the effective behavior includes packaging local directories and transmitting them externally via email.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly promotes packaging and emailing arbitrary directories, including examples such as ~/.openclaw/agents and ~/.openclaw/workspace, but does not clearly warn that this transfers potentially sensitive local data off-system to an external email provider. Even with optional cleaning, users may exfiltrate secrets, personal files, tokens, or agent data because the documented workflow normalizes broad archival and transmission.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explains backup-by-email behavior but does not prominently warn that archived directory contents are transmitted off-host and may still contain secrets even when '--clean' is used. Users may treat this as routine backup and unintentionally exfiltrate credentials, agent data, or personal files to email infrastructure.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The document tells users to configure a QQ邮箱 SMTP 授权码, which is a sensitive credential, but it provides no warning about treating it like a secret, avoiding plaintext storage, or limiting exposure. In a skill whose purpose is to package files and send them by email, mishandling SMTP credentials materially increases the risk of account compromise and unauthorized email exfiltration.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrase "安装 email-backup skill" is overly generic and could cause accidental invocation or installation in conversational contexts where the user did not intend to run an install action. In an agent/chat environment, ambiguous install triggers increase the risk of unintended package deployment and execution of unreviewed code.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The instructions tell users to place email credentials in environment variables without warning that these secrets may be exposed through shell history, process inspection, logs, or inherited subprocess environments. Because this skill handles outbound email, compromise of the SMTP authorization code could enable unauthorized account access or abuse of the mailbox for exfiltration and spam.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The usage example includes a `--clean` option without any warning about what data will be deleted after backup. In a file backup skill, destructive cleanup is especially risky because users may assume the operation is non-destructive and accidentally remove original files or intermediate archives.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script packages arbitrary user-supplied directories and emails the resulting archive to an external SMTP destination, with no explicit consent checkpoint, privacy warning, recipient validation, or allowlist limiting exfiltration. In a backup skill, this is especially risky because users may include sensitive files by mistake, and the default behavior is to send the archive unless --no-send is specified.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script rewrites files in place after regex substitutions with no backup, dry-run mode, confirmation, or path safety guardrails. In the context of a backup-oriented skill, this is more dangerous because it can silently alter source material before archival or emailing, causing irreversible data loss, corruption, or destruction of forensic evidence.

Ssd 3

Medium
Confidence
96% confidence
Finding
The examples explicitly recommend archiving broad OpenClaw directories such as agents and workspace, which are likely to contain prompts, agent state, logs, tokens, API keys, and personal data. Combining bulk collection with external email transmission materially increases the chance of sensitive-data disclosure, especially because cleaning is incomplete by design.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal