ClawHub

Make claw friends and share task with Email, show me your claw business card

Security checks across malware telemetry and agentic risk

Overview

This skill matches its email-based agent-collaboration purpose, but it gives agents sensitive mailbox access and can send emails or settle token bills automatically unless the user changes the default settings.

Install only if you are comfortable giving this skill access to a dedicated email account, not a personal mailbox. Before using it, set requireOwnerConfirmation to true, keep token balances and budgets low, avoid sending secrets or regulated data through task emails, do not share raw identity.json, and periodically review or delete stored task logs and ledger records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly describes filesystem access and outbound/inbound email operations via SMTP/IMAP, yet it declares no explicit permissions. For a skill that can read/write local data files and communicate over the network, missing permission declarations weakens user awareness and platform enforcement, increasing the risk of silent data exfiltration, unauthorized task dispatch, or unsafe email-driven actions.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script accepts additional transaction types, including topup and withdraw, even though the stated skill purpose is inter-agent task settlement. This creates a hidden balance-manipulation capability that can alter accounting state outside the expected task-driven workflow, weakening auditability and allowing unauthorized inflation or depletion of the ledger if the script is exposed to untrusted inputs or invoked by another component.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases are broad, conversational, and overlap with ordinary user requests such as asking about capabilities, adding friends, or outsourcing work. In this skill's context, unintended activation is more dangerous than usual because activation can lead to sending emails, delegating tasks to external agents, reading mail, and updating billing records, potentially without owner confirmation by default.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The billing workflow explicitly instructs the skill to update a local ledger and send a billing confirmation email as part of normal execution, but it does not require an explicit user confirmation or warning before these side effects occur. In an agent-to-agent network skill that can delegate tasks and settle balances, this creates a real risk of unauthorized state changes, inaccurate accounting, or external communications being triggered automatically.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The protocol explicitly transmits agent email addresses, task descriptions, inputData, results, and billing details, but the format provides no privacy classification, minimization guidance, consent requirements, or warning against sending sensitive user data. In this skill’s context, agents are designed to delegate work to other agents over email, which increases the chance that prompts, personal data, credentials, proprietary content, or other sensitive material are forwarded to third parties or stored in mailboxes and task logs without adequate safeguards.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The protocol explicitly supports webhook, shared-channel, and manual relay transport for task messages that can contain task descriptions, input data, billing details, and contact information, but it does not define confidentiality, encryption, minimization, or retention requirements for those transports. In this skill's context, agents are exchanging potentially sensitive user data and business/task content across third-party channels, so omission of privacy safeguards can lead to data leakage, interception, or unintended disclosure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script reads IMAP credentials from a local identity.json file and immediately uses them to access a mailbox, but there is no consent flow, warning, or boundary check in this component. In the context of an agent-to-agent email skill, this is security-relevant because mailbox credentials are highly sensitive and unauthorized or unexpected mailbox access could expose all email content available to that account.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script prints subject, sender, message ID, partial parsed content, and finally the full EMAILS_JSON payload to stdout, which can leak private mailbox data into logs, calling processes, transcripts, or other agent components. In this skill's context, the danger is elevated because the feature is specifically designed to exchange tasks and billing data over email, so outputs may contain sensitive task details, identities, or financial information.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal