ClawHub

Email Resend

Security checks across malware telemetry and agentic risk

Overview

This email skill mostly does what it says, but it needs review because it handles private email, can create recurring chat notifications, and has unsafe or under-scoped defaults around notification targets and attachment downloads.

Install only if you intend to give this skill Resend email access and want email data available to an agent. Before enabling cron, replace the hardcoded Telegram examples with your own destination, verify the configured chat/topic, and know how to remove the cron job. Use a least-privileged Resend key, avoid --yes except in trusted automation, and download attachments only to a controlled folder while treating filenames and contents as untrusted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (14)

Tainted flow: 'cron_cmd' from os.environ.get (line 143, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
]
    
    print(f"Running: {' '.join(cron_cmd)}")
    result = subprocess.run(cron_cmd, capture_output=True, text=True)
    
    if result.returncode != 0:
        print(f"Error adding cron: {result.stderr}")
Confidence
80% confidence
Finding
result = subprocess.run(cron_cmd, capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill clearly requires powerful capabilities including environment access, file read/write, network access, and shell execution, yet it does not declare permissions. This weakens review and consent boundaries because operators and higher-level tooling cannot accurately understand or constrain what the skill can do before invocation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The declared purpose emphasizes email operations, but the skill also manages cron jobs, targets Telegram delivery, reads/writes persistent memory state, and invokes OpenClaw CLI actions. This mismatch is dangerous because users may authorize an email skill without realizing it can alter scheduled tasks and route message content into another channel, increasing the chance of unintended data exposure or persistence.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is presented as a Resend email integration, but this script configures Telegram notifications and cron-based message delivery outside that stated scope. This scope expansion is security-relevant because users may grant trust expecting email-only behavior, while the skill also establishes external notification channels that can forward or expose inbound email metadata.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script manages external OpenClaw cron jobs via subprocess, creating persistent automation beyond a simple email API integration. In skill context, persistent scheduled tasks materially increase risk because they can continue sending notifications or processing data after initial execution, especially when users may not expect cron/job management from an email helper.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The docstring states that sending 'always shows preview before sending (requires user approval)', but the implementation allows bypassing approval with --yes. In an agent setting, this mismatch can mislead operators or higher-level controls into assuming a human-in-the-loop safeguard exists when it can actually be disabled, increasing the risk of unintended outbound email and data leakage.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly promotes downloading inbound email attachments but provides no warning that attachments are untrusted content. In an email-handling skill, this omission is security-relevant because users may open or process malicious files delivered via email, increasing risk of malware execution, phishing, or unsafe downstream parsing.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The README describes sending and receiving emails via the Resend API but does not clearly warn that message contents and metadata are transmitted to an external third-party service. This can lead users to unknowingly send sensitive information through an external provider, creating confidentiality, compliance, and privacy risks.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Trigger phrases such as 'send email', 'check emails', 'email me', and 'email notification' are broad and likely to match normal conversation. Overbroad activation can cause the skill to run in unintended contexts, which is especially risky here because the skill can send emails, read inbound mail, persist data, and potentially configure cron jobs.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill instructs persisting sender identity and Telegram notification targets in memory, but does not present a strong, explicit privacy notice or consent step before storing this cross-channel contact metadata. That creates avoidable privacy risk because these identifiers can reveal personal contact details and routing information across sessions and automations.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The code hard-codes a specific real-looking email address and name as defaults when environment values are absent. This can misattribute outbound email identity, leak another person's identity into user workflows, and cause accidental sending under incorrect personal details without informed consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script emits inbound email metadata and body previews to stdout, explicitly for downstream agent delivery. In an agent environment, stdout is often captured, logged, surfaced to other tools, or relayed across channels, so this creates a real confidentiality risk for sensitive email content and attachment names.

Ssd 3

Medium
Confidence
88% confidence
Finding
The code comments/instructions direct the invoking agent to parse the JSON output and deliver the email data through other messaging channels. That creates a natural-language exfiltration path from a sensitive source (inbound mail) into potentially broader or less trusted destinations without any access-control, consent, or classification step.

Ssd 3

Medium
Confidence
93% confidence
Finding
The notification output includes substantial body text, sender details, dates, and attachment filenames/sizes in both JSON and human-readable form. Because this output is intended for downstream delivery and may also be logged, it materially increases the risk of exposing confidential business or personal information from inbound mail.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal