ClawHub

cloudflare-mail-reader

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it gives an agent admin-level access to mailbox contents and verification codes with weak safeguards against unintended use.

Install only if you control the target mail system and want the agent to have admin-level read access to mailbox contents. Use least-privilege credentials, specify an address and small limit, avoid no-address mailbox-wide reads, avoid raw output unless debugging, and treat exported CSV/JSON and any returned verification codes as confidential.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script does more than merely read mailbox contents: it actively extracts OTP/verification codes into a dedicated field, making high-value secrets easier to harvest and reuse. In the context of an admin mailbox API, this materially increases the risk of account takeover or bypass of MFA/email-based verification flows if the tool is invoked against other users' mailboxes.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill is explicitly designed to read mailbox contents from an admin endpoint and export messages as CSV, but it provides no privacy warning, consent boundary, or data-handling caution. In this context, the lack of notice is meaningful because email content and extracted verification codes are highly sensitive, and exporting them increases the risk of unintended disclosure or retention.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill enables implicit invocation without any visible trigger constraints, while its purpose is to access mailbox contents through an admin API. That combination can cause the agent to auto-select a privileged mail-reading capability for broad user requests, increasing the risk of unintended access to sensitive email data or use without explicit user confirmation.

Vague Triggers

Low
Confidence
86% confidence
Finding
The display name, short description, and default prompt describe broad mail-reading behavior that overlaps with common user requests such as reading emails or listing messages. In the context of a skill backed by an admin API for mailbox access, broad matching increases the chance that the agent invokes this capability for ambiguous prompts and exposes or retrieves email content beyond the user's intended scope.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The tool prints full mail contents, metadata, and optionally raw messages to stdout and can also write them to an arbitrary file path, which can expose sensitive emails, links, reset tokens, and personal data to logs, shell history workflows, CI capture, or other local users. In this skill's context—accessing mail through an admin API—those outputs may contain other users' private messages, making disclosure significantly more dangerous.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal