ClawHub

YouOS

Security checks across malware telemetry and agentic risk

Overview

YouOS appears to be a real local email-copilot app, but some default and fallback paths can send private email or notes to Claude despite strong local-only messaging.

Install only after reviewing the source and settings. For strict local use, set review.draft_model to local and model.fallback to none before drafting, avoid enabling nightly/service mode unless you want background processing, keep the server bound to 127.0.0.1, and configure a PIN/token allowlist before using the web UI or browser extension.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (48)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            venv_python = Path(__file__).resolve().parents[3] / ".venv" / "bin" / "python3"
            script = Path(__file__).resolve().parents[3] / "scripts" / "nightly_pipeline.py"
            subprocess.run([str(venv_python), str(script), "--autoresearch-only"], timeout=7200)
        except Exception:
            pass
Confidence
94% confidence
Finding
subprocess.run([str(venv_python), str(script), "--autoresearch-only"], timeout=7200)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"JSON array:"
    )
    try:
        result = subprocess.run(
            ["claude", "--print", "-p", prompt],
            capture_output=True,
            text=True,
Confidence
91% confidence
Finding
result = subprocess.run( ["claude", "--print", "-p", prompt], capture_output=True, text=True, timeout=30, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""Commit config changes for a kept autoresearch improvement."""
    msg = f"autoresearch: keep {surface_name} {old_value} → {new_value} (composite {baseline_composite:.4f} → {candidate_composite:.4f})"
    try:
        subprocess.run(
            ["git", "add", "configs/retrieval/defaults.yaml", "configs/prompts.yaml"],
            capture_output=True,
            timeout=10,
Confidence
89% confidence
Finding
subprocess.run( ["git", "add", "configs/retrieval/defaults.yaml", "configs/prompts.yaml"], capture_output=True, timeout=10, cwd=ROOT_DIR,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
timeout=10,
            cwd=ROOT_DIR,
        )
        subprocess.run(
            ["git", "commit", "-m", msg],
            capture_output=True,
            timeout=10,
Confidence
92% confidence
Finding
subprocess.run( ["git", "commit", "-m", msg], capture_output=True, timeout=10, cwd=ROOT_DIR, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
tag_name = f"autoresearch-{timestamp}"
    tag_msg = f"composite {baseline_composite:.4f} → {final_composite:.4f}, {improvements_kept} improvements"
    try:
        subprocess.run(
            ["git", "tag", tag_name, "-m", tag_msg],
            capture_output=True,
            timeout=10,
Confidence
87% confidence
Finding
subprocess.run( ["git", "tag", tag_name, "-m", tag_msg], capture_output=True, timeout=10, cwd=ROOT_DIR, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Try to set up cron
    try:
        if shutil.which("openclaw"):
            subprocess.run(
                [
                    "openclaw",
                    "cron",
Confidence
81% confidence
Finding
subprocess.run( [ "openclaw", "cron", "add", "--name", "youos:nightly",

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill describes capabilities including shell execution, file read/write, network access, environment access, and service management, but does not declare corresponding permissions. That creates a transparency and consent failure: users may install or invoke a skill believing it is constrained, while it can access sensitive local mail data, modify files, authenticate to external backends, and run installation scripts.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented behavior goes well beyond a simple email drafting copilot: it stores persistent facts and profiles, exposes admin and token endpoints, supports service installation, benchmarking loops, and background workflows. This mismatch is dangerous because it broadens the attack surface and data-handling scope beyond what a user would reasonably infer from the headline description, especially given the highly sensitive Gmail/Docs/WhatsApp content involved.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This review-queue module exposes an operationally powerful background trigger unrelated to simply viewing or submitting reply reviews. In the context of a local-first email copilot that handles sensitive communications and training pipelines, an unprotected trigger increases the risk of unauthorized pipeline execution, compute abuse, and unintended processing of personal data.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The /config-summary endpoint returns internal configuration details including the database URL and filesystem config directory path. Exposing infrastructure paths is unnecessary for an email drafting API and can aid reconnaissance, reveal deployment layout, and help an attacker target local files or backend services more effectively.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
These endpoints expose snapshot listing, creation, and restore operations over the application database, which goes far beyond the stated email-copilot functionality and creates a powerful administrative surface. If reachable by an attacker, they could enumerate backup locations, create copies of sensitive user data, or restore arbitrary snapshots to alter or roll back the datastore.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The stats/config router exposes an endpoint that installs and starts a background service on the host system. If this API is reachable by an untrusted local webpage, extension, or network client without strong authentication, it grants system-modifying capability beyond the skill's stated email-drafting purpose and could be abused for persistence or unauthorized host changes.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
These API endpoints trigger local ingestion, fine-tuning, and benchmarking jobs that process mailbox-derived data and consume local compute resources. In context, those actions are related to the product, but exposing them as API-triggerable execution surfaces increases abuse potential if the server lacks authentication, CSRF defenses, or rate limits.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is presented as local-first and privacy-preserving for personal communications, but this route silently falls back to the external Claude CLI when no local adapter is available. That can transmit highly sensitive user email/message content and persona-derived context outside the device, violating user expectations and potentially compliance or privacy requirements.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The CLI exposes functionality for installing background services and creating long-lived API tokens, which materially expands the attack surface beyond a local drafting assistant into persistence and remote-access management. In a personal email copilot context, these capabilities are more dangerous because the application handles highly sensitive communications data and model outputs, so compromise of tokens or misuse of service management can increase persistence and unauthorized access risk.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The fallback path contradicts the local-first claim by sending note text and metadata to an external Claude CLI process. In this product context, notes may contain highly sensitive personal communication preferences, contact details, and project facts, so undisclosed external processing creates a meaningful privacy and data-handling risk.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Spawning an external `claude` process expands the trust boundary of a simple parsing module and gives note content to code outside the application. In a local-first personal email copilot, this is more dangerous than in a generic text-analysis tool because the processed data is likely to include private contacts, habits, schedules, and communication history.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This file adds persistent LaunchAgent installation and auto-restart behavior, which materially expands the skill's capabilities beyond an email-drafting assistant into long-lived local service management. In the context of a personal communication tool handling sensitive mail and document data, undisclosed persistence increases risk because the service may continue running and exposing data after the user expects it to stop.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The code programmatically installs and controls a macOS LaunchAgent via launchctl, creating persistent background execution not obviously justified by the stated drafting/review workflow. For a tool that processes private Gmail, Docs, and WhatsApp-derived content, stealthy or poorly disclosed persistence raises the risk of ongoing data exposure, local service abuse, and user surprise.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
Despite the skill being described as local-first, this code can route assembled prompts containing inbound email text, thread history, sender context, memory facts, and exemplars to the Claude CLI fallback. That creates a privacy and data-handling mismatch: highly sensitive personal communications may be disclosed to an external model provider without strong in-code consent gating or minimization.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The service logs full inbound_text and generated_draft into draft_events, creating a durable local corpus of sensitive communications beyond ephemeral drafting. For an email copilot handling personal messages, this materially increases exposure in the event of local compromise, over-retention, or unintended secondary use for analytics/training.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The function explicitly expands collection beyond YouOS-generated draft/reply comparisons and stores 'organic' user replies as feedback pairs, which broadens the data use scope without an evident consent or opt-in gate in this code path. In a personal email copilot, this can silently repurpose private communications for model improvement, increasing privacy and compliance risk even if the code is not overtly exfiltrating data.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This script goes beyond aggregate ingestion health and prints raw corpus samples including titles, thread IDs, source IDs, inbound/reply author names, and account_email metadata. In the context of a local-first personal email copilot trained on Gmail, Docs, and WhatsApp exports, these fields are likely to contain directly identifying personal or sensitive communication data, so running the report can disclose private content to logs, terminals, shell history capture, or support artifacts.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script runs an 'autoresearch' optimizer that modifies configuration and then records those changes in version control, which is outside the advertised local-first email drafting behavior. This mismatch increases risk because users may grant trust appropriate for a drafting assistant while the code performs repository mutation and persistence operations.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script invokes `git add`, `git commit`, and `git tag`, directly altering repository state in ways unrelated to the declared personal email copilot purpose. This is dangerous because it can create persistent, trusted-looking changes and audit artifacts from an optimization routine, enabling accidental configuration drift or concealment of undesired modifications under benign-looking automation.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal