ClawHub

Email Assistant

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed AI email assistant that sends user-selected email content to Evolink for processing, with no hidden persistence or unrelated behavior found.

Install only if you are comfortable sending email drafts or templates to Evolink/Claude for AI processing. Redact sensitive customer, legal, regulated, or confidential business content unless you trust the vendor's handling and retention claims, protect the EVOLINK_API_KEY, and treat compliance output as drafting help rather than legal advice. The publisher should correct the unrelated crypto/wallet/purchase tags.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no explicit permissions, yet its metadata and documented commands require environment access, shell execution, and reading/writing files via `python3`, `curl`, API key usage, and temporary payload handling. This creates a trust and transparency gap: users or platforms may underestimate what the skill can access and do, including transmitting local email content to a third-party API.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This script sends user-supplied email file contents to a third-party API for review, subject generation, compliance checking, and translation, but it does not present an explicit warning or consent prompt at the point of use. Because email files can contain sensitive personal, commercial, or regulated data, silent exfiltration to an external service creates a meaningful confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script sends full email file contents to a third-party API for review, subject generation, compliance, and translation, but does not present a clear runtime warning or consent gate before exfiltrating potentially sensitive content. In this skill context, users may process drafts containing PII, customer data, secrets, or regulated content, making silent transmission materially risky.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal