ClawHub

Ews Email

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Exchange email tool, but it needs Review because it can read, send, modify, delete, and download enterprise email with weak safeguards in a few places.

Install only if you intentionally want an agent to operate an Exchange mailbox. Require manual confirmation before sending, replying, forwarding, moving, deleting, flagging, or downloading attachments; avoid downloading attachments from untrusted mail until filenames are sanitized; and avoid keeping the keyring master password in persistent environment/config files where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The docstring says passwords are never sourced from environment variables or config files, but the keyring fallback uses KEYRING_CRYPTFILE_PASSWORD from the environment as the master secret protecting the stored EWS password. This is a security-design mismatch that can mislead operators into weaker deployment practices, especially because environment variables are often exposed to child processes, process dumps, CI logs, or shell history via export scripts.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation text is very broad ('when the user asks about email, inbox, messages, or mail'), which could cause the skill to trigger for routine conversations and gain access to mailbox operations unexpectedly. In a mail-management skill with send, delete, move, and read capabilities, over-broad invocation increases the chance of unintended sensitive actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation exposes destructive and outbound actions like send, reply, forward, move, delete, and attachment download without clear warnings or mandatory confirmations. In an enterprise email context, misuse could lead to data exfiltration, phishing from a trusted account, accidental deletion, or unauthorized message manipulation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Attachment filenames from the remote email are joined directly into a local path and written to disk. A crafted attachment name such as ../../.ssh/authorized_keys or an absolute path could cause path traversal and arbitrary file overwrite outside the intended download directory, making this more than just an undisclosed filesystem change.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal