ClawHub

OpenClaw Email Lead Generation

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed email outreach assistant with optional automation; it is not malicious, but it handles sensitive lead and email data.

Install only if you want an agent to manage lead records and help send outreach from your email account. Keep SMTP secrets in environment variables, review every email before sending unless you intentionally enable auto-send, review any cron jobs it creates, and treat ~/workspace/leadgen plus the temporary email-body file as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Low
Confidence
97% confidence
Finding
`cmd_write_email_body` writes sensitive email content to a fixed path `/tmp/leadgen_email_body.txt`, outside the controlled workspace. A predictable global temp filename is vulnerable to symlink attacks, clobbering, race conditions, and unintended cross-user/process exposure on multi-user systems; in this skill context, that could leak draft outreach content or overwrite arbitrary files accessible to the script's user.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The header comment claims all user-provided input is sanitized, but commands such as `write-config` and `write-email-body` write stdin directly to disk without validation or sanitization. In an agent skill, misleading security claims are dangerous because downstream tooling or maintainers may trust unsafe paths and pass untrusted content into them, increasing the chance of config injection, persistence of malicious payloads, or mishandling of sensitive data.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill explicitly tells the agent to map broad natural-language phrases like "Show me the pipeline," "Any replies?", and "How are we doing?" into operational commands. This increases the chance of accidental invocation during ordinary conversation, which could trigger state reads, drafting actions, or follow-on workflows without sufficiently explicit user intent.

Vague Triggers

Low
Confidence
86% confidence
Finding
The startup flow uses a very generic trigger of the user saying "yes" to begin setup after displaying a welcome prompt. In a conversational environment, such a broad confirmation token can be matched out of context and unintentionally start workspace creation or setup actions.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The documented trigger phrase "change morning check to 8am" is a broad natural-language command that could be matched accidentally during ordinary conversation or by untrusted content relayed through the agent. Because this action changes scheduled automation behavior, ambiguous activation can silently alter when outreach and monitoring jobs run, reducing operator control over outbound email activity.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The disable trigger phrases "Pause autopilot" and "disable cron" are vague, high-risk natural-language controls for a sensitive operational function. If triggered unintentionally, via ambiguous chat context, or through prompt/content injection from an email or other external text, they can stop reply checks and scheduled follow-ups, directly disrupting lead handling and business operations.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The scoring guide explicitly uses email opens/clicks and website/social review as lead-scoring inputs, but it does not pair those activities with a clear notice about consent, lawful basis, or user-visible disclosure. In an outreach automation skill, this can normalize privacy-invasive behavior and create legal/compliance exposure, especially where tracking pixels or profile enrichment are used without transparent notice.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal