ClawHub

one-mail

Security checks across malware telemetry and agentic risk

Overview

This is a real email-management skill, but it stores long-lived mailbox credentials and contains unsafe command construction that could let crafted email arguments run unintended commands.

Review before installing. Use it only with accounts you are comfortable granting persistent local access to, protect ~/.onemail/credentials.json, avoid unattended auto-reply or forwarding workflows, and inspect any generated send/search commands carefully. The eval and heredoc interpolation issues should be fixed before use with untrusted inputs or agent-generated email fields.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises shell, file-read, and network-capable operations but declares no explicit permissions or safety boundaries. For an email-management skill, these capabilities enable access to local configuration under ~/.onemail/, outbound communication to mail providers, and command execution, so the lack of declared permissions reduces transparency and makes unsafe invocation or overreach more likely.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The function constructs a shell command string from user-influenced values such as the Gmail search query, account email, and limit, then executes it with eval. Because eval re-parses shell metacharacters, an attacker can inject arbitrary shell syntax and gain command execution, which is far beyond the intended email-search capability of this skill.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The send path assembles a command string from message fields including to, cc, bcc, subject, attachment path, and reply_to, then passes it to eval. Any crafted shell metacharacters in those fields can break out of the intended gog invocation and execute arbitrary commands, turning an email-sending feature into general shell execution.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly demonstrates auto-reply/forwarding workflows that transfer email content to recipients or other accounts, but it does not warn users that this may disclose sensitive or regulated data. In an email-management skill, these examples normalize unattended outbound data transfer and increase the risk of accidental privacy breaches if users copy them into production use.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The backup example writes bulk email data to local JSON files without warning that these files may contain sensitive message bodies, sender/recipient metadata, and attachment indicators. This creates a realistic risk of local data exposure through weak filesystem hygiene, backups, shared machines, or later exfiltration by other processes.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The README encourages unattended mail retrieval and automatic reply workflows without prominently warning about privacy exposure, unintended disclosure, or accidental outbound actions. In an agent skill context, this can lead users to automate processing of sensitive email content and send responses based on incomplete filtering, increasing the risk of data leakage or harmful actions.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger text is very broad and matches common words like 邮件, 邮箱, email, 发邮件, 收邮件, 查邮件, which can cause the skill to activate for routine conversations that only mention email tangentially. In this skill's context, accidental activation is more dangerous because the tool can read mailbox contents, search across accounts, and send messages, potentially exposing private data or causing unintended actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation includes sending email and removing accounts without warning that content will be transmitted to third-party providers or that account removal is destructive. Because email contents, recipients, attachments, and account metadata are highly sensitive, missing privacy and destructive-action warnings increases the risk of unintentional disclosure, irreversible account changes, or sending messages the user did not mean to send.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script collects highly sensitive OAuth material (client secret and authorization code) and immediately transmits it to Microsoft's token endpoint, but it does not clearly disclose to the user that these secrets will be sent over the network and that a refresh token will later be stored locally. In an agent skill context, silent collection and exchange of credentials increases the risk of user surprise, unsafe consent, and accidental credential exposure if the surrounding environment or logs are not trusted.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script stores mailbox passwords and OAuth refresh/client secrets via save_credentials without explicitly informing the user about persistence, storage location, or protection guarantees. This is dangerous because email credentials grant ongoing account access, and undisclosed local storage can lead to compromise through weak file permissions, backups, multi-user systems, or later exfiltration by other tooling.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script prompts for app passwords, client secrets, and refresh tokens and persists them to a local JSON file, but it never clearly warns the user at the moment of entry that these secrets will be stored on disk. In a mail-management skill, these credentials grant ongoing access to private email accounts, so silent local persistence meaningfully increases the risk of unintended credential exposure through backups, endpoint compromise, or user misunderstanding.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script sends the user-provided client ID, client secret, and authorization code to Microsoft's token endpoint without an explicit disclosure right before transmission. Although contacting the OAuth provider is expected for Outlook setup, the lack of clear notice reduces informed consent and can surprise users into transmitting sensitive values over the network.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal