Back to skill
Skillv1.0.0
ClawScan security
Email Reader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 24, 2026, 1:16 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- This instruction-only email skill generally matches its stated purpose (reading/sending email via a CLI) but contains inconsistencies and insecure guidance around credentials and configuration that you should review before installing.
- Guidance
- This skill appears to do what it claims (manage email via the himalaya CLI), but it has a few problems you should address before use: - Clarify dependencies: the registry should list 'himalaya' as a required binary so you know it must be installed. - Do NOT copy the example that puts passwords on the command line—this exposes credentials to shell history and process lists. Prefer OAuth or storing credentials in a secure environment variable or credential store. - If you enable scheduled reminders, confirm how the agent will store the schedule and whether it runs autonomously; be cautious granting ongoing autonomous access to your email. - When installing himalaya, use the official package source for your OS (brew, winget, crates.io) and verify the project repo. - Consider requiring explicit environment variables (or an OAuth flow) for credentials and avoid sharing raw auth tokens with the skill. If you need me to, I can suggest a safer configuration and a checklist to harden usage of this skill. Confidence is medium because the skill is instruction-only and coherent overall, but the missing metadata and insecure examples are concerning rather than definitive proof of malicious intent.
Review Dimensions
- Purpose & Capability
- noteSkill description and runtime instructions align: it reads and sends email via IMAP/SMTP and recommends the himalaya CLI. However, the registry metadata declares no required binaries or primary credential even though SKILL.md expects the himalaya CLI and user mail credentials—this mismatch should be clarified.
- Instruction Scope
- concernThe instructions directly tell users how to configure accounts with username/password on the command line (examples show plaintext passwords in CLI args) and recommend periodic reminders. Showing CLI invocations that embed passwords is insecure and could lead to credential leakage (shell history, process listing, logs). The skill does not explicitly limit what the agent should read beyond the mail client, and the '定时提醒' (scheduled reminders) implies background/periodic actions without specifying how scheduling or authorization is handled.
- Install Mechanism
- noteThere is no install spec in the registry (lowest-risk), but SKILL.md recommends installing himalaya via brew/cargo/winget—these are standard package sources. This is acceptable, but the registry should declare the binary dependency so users know the runtime requirement ahead of time.
- Credentials
- concernNo required environment variables or primary credential are declared despite the skill needing email account credentials (app passwords, OAuth tokens, or auth codes). The README suggests using environment variables and OAuth (good), but the concrete examples show passing passwords directly in CLI flags which is disproportionate and unsafe. The skill requests access to sensitive secrets in practice but doesn't document or enforce a secure mechanism for them.
- Persistence & Privilege
- notealways:false (default) and autonomous invocation allowed (normal). The SKILL.md mentions scheduled reminders, which implies persistent or recurring actions, but the skill provides no mechanism for persisting schedules or elevating privileges. This is a behavioral note to clarify how and when the agent will run these reminders.