ClawHub

Email Automation

Security checks across malware telemetry and agentic risk

Overview

The skill is for email automation, but it defaults to auto-archiving and stores email-processing history with weak disclosure and control.

Review before installing. Use it only if you are comfortable granting mailbox credentials and allowing automatic archiving; disable AUTO_ARCHIVE or test on a noncritical inbox first, and check the local .email-automation/processed.json history file behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Tainted flow: 'history_file' from os.getenv (line 34, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
"""Save history of processed emails"""
    ensure_data_dir()
    history_file = DATA_DIR / 'processed.json'
    with open(history_file, 'w') as f:
        json.dump(history, f, indent=2)

def simulate_fetch_emails():
Confidence
90% confidence
Finding
with open(history_file, 'w') as f:

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script claims 'TEST MODE - No changes will be made' but still executes process_emails(), which saves processing history to disk. This is dangerous because operators may rely on test mode for safe evaluation and unintentionally persist metadata or modify state, violating expectations and potentially affecting privacy-sensitive environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly advertises autonomous inbox cleanup and auto-archiving but does not clearly warn users that these actions modify mailbox state. In an email-management context, silent archival can hide important messages, disrupt workflows, and cause users to miss time-sensitive communications.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The command examples instruct the agent to archive emails without disclosing that this changes mailbox contents and may not be obvious or easily reversible to the user. This creates risk of unintended mailbox modification, especially if users treat the examples as safe read-only queries.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The configuration sets AUTO_ARCHIVE to true by default, enabling automatic mailbox modification without a clear safety notice. Default-on state changes are risky in email workflows because users may unintentionally lose visibility of messages before validating the categorization logic.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script persists processed email IDs and last-run metadata to local storage without explicit notice or consent. In a skill handling email workflow, even limited metadata can be privacy-sensitive and may be exposed to other local users, backups, or shared workspaces if stored insecurely or unexpectedly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal