ClawHub

Email Assistant

Security checks across malware telemetry and agentic risk

Overview

This email assistant is purpose-aligned, but it asks for powerful mailbox access and includes automatic sending and credential storage with weak safeguards.

Install only if you are comfortable granting read/write/send access to your email accounts. Keep the accounts directory private, do not commit token or account JSON files, avoid catch-all auto-reply rules, disable hourly sync unless you need it, and revoke access at the email provider if any local token or authorization-code file is exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
acct = _load_account(account_id)
                if acct["type"] == "outlook":
                    send_script = os.path.join(os.path.dirname(__file__), "outlook_api.py")
                    subprocess.run(
                        [sys.executable, send_script, account_id, "send", reply_path, "--confirm"],
                        capture_output=True, text=False, timeout=30,
                        env={**os.environ, "PYTHONIOENCODING": "utf-8"},
Confidence
87% confidence
Finding
subprocess.run( [sys.executable, send_script, account_id, "send", reply_path, "--confirm"], capture_output=True, text=False, timeout

subprocess module call

Medium
Category
Dangerous Code Execution
Content
)
                else:
                    send_script = os.path.join(os.path.dirname(__file__), "email_client.py")
                    subprocess.run(
                        [sys.executable, send_script, account_id, "send", reply_path],
                        capture_output=True, text=False, timeout=30,
                        env={**os.environ, "PYTHONIOENCODING": "utf-8"},
Confidence
89% confidence
Finding
subprocess.run( [sys.executable, send_script, account_id, "send", reply_path], capture_output=True, text=False, timeout=30,

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The matching-logic description is internally contradictory: it says conditions are ANDed across condition types, but also states each configured type needs at least one match. Ambiguous security-relevant documentation can cause operators or downstream agents to create overly broad or overly narrow rules, leading to unintended automatic replies to sensitive emails or failure to reply where expected.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The `cmd_revoke` function and its docstring imply OAuth token revocation, but the implementation only deletes the local token file and tells the user to manually revoke consent. This can leave still-valid access or refresh tokens usable at the provider side, creating a false sense of security during incident response or account offboarding.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The script generates an OAuth state value but never verifies the returned state in the callback handler before accepting the authorization code. This breaks CSRF/session-binding protection for the OAuth flow and allows a local or same-browser attacker to inject or swap an authorization response, potentially causing the app to bind to the wrong account or accept an attacker-initiated login flow.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The wizard embeds a shared Azure OAuth client and requests broad permissions including Mail.ReadWrite and Mail.Send while presenting setup as a simple authorization step. Using a shared app for multiple users increases trust and consent risks, and the requested scopes exceed minimal account-verification needs, enabling access to read, modify, and send mail if tokens are compromised or the app is abused.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly supports a catch-all rule that matches all incoming mail but does not warn about risks such as mail loops, replying to spam/phishing, disclosure of availability, or unintended responses to external parties. In an email automation skill, this omission materially increases the chance users deploy broad auto-replies unsafely.

Missing User Warnings

High
Confidence
97% confidence
Finding
Documenting attachment support for automatic replies without warning that listed files may be sent automatically can lead to accidental exfiltration of sensitive local files. In this context, auto-replies may trigger on untrusted inbound email, so any configured attachment path could be disclosed broadly and repeatedly without user review.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document includes example JSON configuration that places live email authorization codes directly in a file field named auth, but it does not warn users that these values are secrets that should not be committed, shared, or stored insecurely. In a skill/reference context, users may copy this verbatim into config files or repositories, leading to credential leakage and unauthorized access to email over IMAP/SMTP.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The mark-read and mark-unread operations immediately modify mailbox state without any user confirmation, policy gate, or dry-run safeguard. In an agent skill context, that increases the chance that a prompt-influenced or mistaken call can silently alter evidence, workflow state, or unread-message triage.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script prompts for 163/QQ authorization codes and writes them directly into JSON account files as smtp.auth and imap.auth without any protection or clear warning. These codes function as mailbox credentials, so local file disclosure, backups, or accidental sharing of the accounts directory can expose full mail access.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The file performs IMAP auto-reply sending automatically without any user-facing warning, approval step, or comparable safety control. In this context, that is dangerous because untrusted inbound messages can trigger outbound communication, creating spam, phishing amplification, or autoreply loops.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal