ClawHub

email-manager-pop3

Security checks across malware telemetry and agentic risk

Overview

This email skill mostly matches its purpose, but it includes an undocumented mail-deletion function that can remove messages without a confirmation step.

Review this skill before installing. Use a dedicated app password or test mailbox, restrict permissions on config.yaml, and avoid granting it access to important mailboxes unless the undocumented delete_mail behavior is removed, documented, or gated behind explicit confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
80% confidence
Finding
The documented purpose says the skill queries and sends mail, but the finding indicates the implementation also deletes mail and exposes a CLI entrypoint for direct execution. Undisclosed destructive behavior expands the trust boundary: users or orchestrators may grant access expecting read/send operations only, while the skill can also remove messages, increasing the risk of unintended data loss or abuse.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata and module description say it only supports querying and sending email, but the implementation also exposes message deletion. This capability mismatch is security-relevant because downstream agents or users may authorize the skill under a narrower trust assumption and unintentionally permit destructive actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
delete_mail() performs a destructive POP3 DELE operation immediately, with no confirmation prompt, warning, dry-run, or policy check. In an agent setting, this increases the risk of accidental or unauthorized mailbox data loss if the method is called due to prompt confusion, misrouting, or malicious instruction chaining.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Email Manager Skill Dependencies
PyYAML>=6.0
Confidence
98% confidence
Finding
PyYAML>=6.0

Known Vulnerable Dependency: PyYAML — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical
Category
Supply Chain
Confidence
96% confidence
Finding
PyYAML

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal