ClawHub

Send transactional email via DmartechX/Iemail OpenAPI. Configure in OpenClaw skills env or use secret.md.

Security checks across malware telemetry and agentic risk

Overview

This skill does send email as advertised, but it gives agents broad credential-file access instructions and installs Python packages at runtime.

Review before installing. Prefer a version that uses only injected IEMAIL_ACCESS_KEY, IEMAIL_ACCESS_KEY_SECRET, and IEMAIL_SENDER, removes workspace config-file credential reads, and declares pinned dependencies instead of running pip from the script. If used anyway, protect the API keys, confirm each recipient and message body before sending, and avoid sending sensitive or regulated content unless the provider is approved for it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
try:
    import requests
except ImportError:
    os.system(f"{sys.executable} -m pip install requests -q")
    import requests
Confidence
96% confidence
Finding
os.system(f"{sys.executable} -m pip install requests -q")

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
try:
        from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes  # type: ignore
    except ImportError:
        os.system(f"{sys.executable} -m pip install cryptography -q")
        from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes  # type: ignore

    encryptor = Cipher(algorithms.AES(key), modes.ECB()).encryptor()
Confidence
96% confidence
Finding
os.system(f"{sys.executable} -m pip install cryptography -q")

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documents and instructs capabilities that include shell execution, environment access, and outbound network use, but does not declare corresponding permissions. That creates a transparency and policy-enforcement gap: users or platforms may not realize the skill can access secrets and send data externally, increasing the chance of unintended credential exposure or misuse.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill says configuration should be provided via injected environment variables, yet the agent instructions tell the agent to read ~/.openclaw/openclaw.json or workspace config files for credentials. This expands secret access beyond the minimum necessary scope and teaches the agent to pull sensitive material from local files, which can expose unrelated secrets or normalize unsafe secret-handling behavior.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documentation claims the skill is configured 'via OpenClaw skill env only' but later instructs the agent to read local config files for credentials. This contradiction is dangerous because ambiguous secret-source guidance can lead agents to access more sensitive data than intended and makes security review harder by obscuring the true trust boundary.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill performs shell-based package installation during normal execution, which is unrelated to the minimum functionality needed to send an email and creates an avoidable execution pathway. In the skill context, this is more dangerous because an automation/integration environment may run with elevated network access and trust, allowing dependency-fetch behavior to become a supply-chain risk.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Repeating the same shell-based install pattern for cryptography compounds the risk by adding another runtime dependency-fetch and command-execution path. In a security-sensitive code path that generates authentication material, this creates avoidable exposure to tampered packages or unexpected behavior in restricted environments.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README instructs users to place long-lived API credentials directly into a local OpenClaw config file but does not warn that these secrets will be stored on disk and may be exposed through weak file permissions, backups, screenshots, repository commits, or support bundle collection. In a skill whose purpose is to send email through a third-party API, compromise of these keys could enable unauthorized email sending, abuse of the email account, and possible access to associated service data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Instructing the agent to read local config files for credentials without a clear user-facing warning encourages direct access to sensitive secret stores. That can result in accidental disclosure, over-collection of secrets, or use of credentials from files the user did not expect the skill to inspect.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill sends email through an external API, which means recipient addresses and message content leave the local system, but the documentation does not clearly warn users about that data transmission. Without that notice, users may unknowingly route sensitive content to a third-party service and underestimate privacy, compliance, or data-handling risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal