ClawHub

Email Checker by EntzAI

Security checks across malware telemetry and agentic risk

Overview

This email assistant matches its stated purpose, but it needs careful review because it can control Mail, send reports and replies, run on a schedule, send email content to LLM providers, and contains unsafe or incomplete AppleScript handling.

Install only on a dedicated bot mailbox or VM unless you are comfortable granting Mail automation and scheduled execution. Prefer a local LLM or disable LLMs for sensitive mail, verify the report recipient, review the crontab, and inspect or supply the missing get_unread_emails.scpt before trusting the installed behavior. Do not use this with important personal or business inboxes until the AppleScript interpolation and plaintext API-key storage are fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (19)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
'''

    try:
        result = subprocess.run(
            ['osascript', '-e', applescript],
            capture_output=True, text=True,
            timeout=30
Confidence
94% confidence
Finding
result = subprocess.run( ['osascript', '-e', applescript], capture_output=True, text=True, timeout=30 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
end tell'''

    try:
        result = subprocess.run(
            ['osascript', '-e', script],
            capture_output=True, text=True,
            timeout=30
Confidence
84% confidence
Finding
result = subprocess.run( ['osascript', '-e', script], capture_output=True, text=True, timeout=30 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
end tell'''

    try:
        result = subprocess.run(
            ['osascript', '-e', applescript],
            capture_output=True, text=True,
            timeout=30
Confidence
92% confidence
Finding
result = subprocess.run( ['osascript', '-e', applescript], capture_output=True, text=True, timeout=30 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
end tell'''

    try:
        result = subprocess.run(
            ['osascript', '-e', applescript],
            capture_output=True, text=True,
            timeout=30
Confidence
92% confidence
Finding
result = subprocess.run( ['osascript', '-e', applescript], capture_output=True, text=True, timeout=30 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises and documents capabilities that read email, write configuration/log files, invoke shell commands, and contact external LLM providers, but it does not declare permissions for those sensitive actions. This undermines user consent and platform policy enforcement, especially because the skill accesses private inbox data and can transmit content off-device to remote services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose omits materially sensitive behaviors: marking unread emails as read, sending replies through Mail.app, and installing cron jobs, while also claiming Telegram/WhatsApp management that is not actually present. This mismatch can cause users to authorize the skill under false assumptions, leading to unintended mailbox modification, outbound communications, and persistence on the host.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill description says it checks unread mail, drafts replies, and sends a report, but the implementation also marks all unread inbox messages as read after processing. This is a hidden state-changing action that can cause users to miss messages and undermines informed consent.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill goes beyond unread-email checking by searching thread history and extracting up to 2000 characters of prior message content from Mail.app. This expands data access materially beyond the manifest description and increases privacy exposure.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The AppleScript uses `do shell script "cat {report_file}"`, which executes a shell command assembled from a filesystem path. If the path contains shell-special characters or if workspace paths are attacker-influenced, this can become command injection within the user's context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly describes forwarding email previews, priorities, and AI-drafted replies to personal email and managing them via Telegram or WhatsApp, but it does not clearly warn that potentially sensitive email content may be transmitted outside the original mailbox and possibly to third-party services. In a security-sensitive automation skill, omission of this privacy notice can lead users to expose confidential correspondence without informed consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documented workflow states that processed emails are automatically marked as read, which is a mailbox-modifying action that can affect user workflows, auditability, and incident response if messages are no longer visibly unread. Without an explicit warning and opt-in emphasis, users may deploy the tool without realizing it changes message state.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The chat invocation examples are broad enough that an orchestrating agent could trigger sensitive actions like sending email replies or changing trusted sender settings without clear confirmation boundaries. In a skill that can read inbox contents and send mail, ambiguous natural-language triggers increase the risk of unintended or socially engineered execution.

Missing User Warnings

High
Confidence
96% confidence
Finding
The description fails to warn that the skill accesses privacy-sensitive email content and can generate outbound reports or drafts, potentially through third-party LLM providers. Because email often contains personal, financial, and corporate secrets, missing privacy disclosures materially increases the chance of uninformed consent and data exfiltration.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code sends email bodies and thread context to an external LLM endpoint without any runtime notice, consent, or data minimization. In an email-assistant context this is especially sensitive because inbox content commonly includes personal, financial, legal, or business-confidential data.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script automatically marks all unread inbox emails as read with no confirmation or warning. In this skill context, that is dangerous because it alters the user's mailbox state and can hide important messages from normal review workflows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically emails a report to a configured recipient without user confirmation at the point of sending. Even if the recipient is the user, this can exfiltrate sensitive message previews and AI-generated drafts to the wrong address if misconfigured or tampered with.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup flow collects an OpenAI API key and later stores it in settings.json without clearly warning the user that the credential will be written to disk, likely in plaintext. This increases the risk of credential exposure through local compromise, backups, misconfigured file permissions, or accidental sharing of the config directory.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script writes personal data and account-related settings, including name, report email, trusted senders, Mail account ID, and LLM settings, to settings.json without clearly notifying the user what sensitive information will be persisted. This can expose private profile and email metadata if the file is accessed by other local users, backup systems, or support workflows.

Ssd 3

High
Confidence
99% confidence
Finding
The prompt includes the current email plus prior thread messages wholesale, then transmits them to the configured model provider. This creates direct leakage of private correspondence in plain text and broadens exposure beyond what is necessary to draft a short reply.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal