ClawHub

Local Mail Server

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local mail-server setup guide, but it includes insecure setup instructions that could expose mail credentials or administration if followed as written.

Review before installing or following the guide. Replace all example passwords, do not disable TLS peer verification for production, use valid certificates or a trusted internal CA, verify downloaded binaries, restrict admin interfaces to localhost or VPN, and back up VPS, DNS, Nextcloud, and mail configuration before making changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The example uses an administrative API over plain HTTP with default-looking credentials (`admin:admin123`) and does not show that the interface is strictly bound to localhost or otherwise hardened. Even if the URL is `localhost`, documentation that normalizes weak defaults can lead operators to deploy an exposed management plane or reuse insecure credentials, enabling account takeover and full mail-system compromise.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The guide recommends STARTTLS for IMAP/SMTP but then instructs Nextcloud to disable TLS peer verification, which defeats certificate validation. That permits man-in-the-middle interception or impersonation of the mail server, exposing credentials and message contents despite nominal TLS use.

Missing User Warnings

High
Confidence
99% confidence
Finding
Telling users to set `app.mail.verify-tls-peer` to `false` removes server identity verification without clearly warning about the security consequences. In a mail system, this directly increases the risk of credential theft, traffic interception, and spoofed server connections.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The API example includes default-looking admin credentials and a plaintext user password without warning readers to replace them. Readers may copy the values directly into production, resulting in predictable admin access or weak user provisioning practices.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal