ClawHub

Yahoo Mail IMAP Export

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Yahoo Mail export and triage workflow, but it can delete mailbox data, stores many private email-derived artifacts, sends content to local model services, and includes a hardcoded app-password-like secret.

Review this carefully before installing. Remove the hardcoded password and rotate it if it was ever valid, supply your own Yahoo app password through a safer runtime mechanism, run only with --dry-run and --no-delete until a small test completes, verify exported .eml files and counts before any deletion, and treat ~/email-purge as highly sensitive because it can contain full emails, metadata, body previews, embeddings, triage outputs, and reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (18)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
Including unrelated triage and embedding files inside a skill presented as a safe export workflow creates hidden scope expansion. In the context of email archives, this increases the chance that sensitive message contents are analyzed, transformed, or retained in additional artifacts without the user's informed expectation.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
LLM triage and embedding generation are not necessary to safely export Yahoo Mail, yet they imply broader processing of private email contents and metadata. This is more dangerous in an email-migration context because mailbox data often contains highly sensitive personal, financial, and account-recovery information, and extra analysis/storage materially increases exposure.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The recommended 'folder rotation' workflow is not just an export process: it repeatedly moves messages out of INBOX and then clears export folders, which can permanently alter or delete mailbox contents. In a skill context, documenting destructive steps without strong guardrails, explicit backup/verification requirements, or rollback guidance creates a real risk of irreversible user data loss if followed as written or automated.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The guide correctly warns that COPY+DELETE+EXPUNGE caused silent message loss, but later recommends clearing export folders after download without stating a mandatory verification step. That inconsistency is dangerous because users may assume deletion is safe once download completes, even though interrupted fetches, partial exports, or logic bugs could again lead to silent permanent loss.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script adds a secondary AI indexing pipeline that is not necessary for a basic mail export workflow. It processes email-derived content into embeddings and builds a separate searchable database, materially expanding data processing scope and retention beyond the stated export purpose, which increases privacy and misuse risk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Email-derived text is sent to an embedding service over HTTP, which introduces an additional processing and transmission path not inherent to archive export. Even if the target is localhost, this creates a new trust boundary and can expose sensitive content to another service, logs, or unintended listeners if the endpoint is reconfigured or proxied.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code stores message metadata, labels, attachment names, classifications, and body previews in a new SQLite database, creating a durable secondary repository of sensitive mail data. This broadens data exposure and retention beyond archive export and makes later search or unauthorized access easier if the local machine or database is compromised.

Intent-Code Divergence

Low
Confidence
90% confidence
Finding
The script embeds what appears to be a real Yahoo app password directly in source code while presenting itself as a general-purpose mailbox export utility. Hardcoded credentials in distributed skill code can expose account access to anyone who can read the file, and in this context the script also performs mailbox-modifying actions, increasing the chance of unauthorized access and destructive use.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file’s actual behavior is local email triage and classification, which materially differs from the advertised Yahoo Mail export/archive purpose. In a security review, capability mismatch is dangerous because users may run the skill expecting export-only handling while it instead processes mailbox contents for purge-oriented decisioning, increasing the chance of unintended retention/deletion workflows and privacy-sensitive data handling outside expected scope.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
Referring to the codebase as an 'email purge project' contradicts the stated archive/export use case and suggests downstream destructive handling may be part of the workflow. This inconsistency makes the skill more dangerous in context because users seeking safe archival may unknowingly run tooling oriented toward deletion decisions, undermining informed consent and safe operation.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill normalizes delete-after-verify handling but does not clearly warn that deletion from Yahoo Mail can be irreversible if verification is flawed, incomplete, or state tracking is corrupted. In a mailbox-export context, insufficient warning and safety language can lead users to run destructive operations without understanding the recovery limitations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The markdown presents mailbox-emptying and folder-clearing operations as the working solution without a conspicuous data-loss warning. In an agent skill, operational guidance can be executed or copied directly by users, so omission of a clear warning materially increases the chance that someone performs irreversible destructive actions believing this is a routine export procedure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script transmits email-derived content to a local HTTP service without any explicit user-facing warning or consent mechanism. In a mail-handling context, silent transfer of message content to another process is dangerous because users may reasonably expect a pure local export, not AI processing by a separate service.

Missing User Warnings

High
Confidence
99% confidence
Finding
A hardcoded mailbox password is used to authenticate to Yahoo IMAP, which is a direct secret exposure vulnerability. Anyone with access to the skill source can reuse the credential to access the mailbox, and because the script can move messages out of INBOX, compromise could also lead to tampering or concealment of mail.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script writes email metadata into several local files (aggregate, keep, drop, review, and stats), multiplying copies of sensitive mailbox data without prominently warning the user. This expands the privacy and exposure surface: any compromise of the local machine, backups, or shared filesystem now reveals more duplicated personal data than the user may expect from an export utility.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script writes a persistent markdown report containing sensitive email metadata such as sender, subject, dates, categories, and importance scores to a predictable path under the user's home directory. In an email triage/purge context, this can expose private correspondence and derived classifications to other local users, backup systems, or downstream tooling without any minimization, permission hardening, or user warning.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends email metadata and body previews to a model service over HTTP on localhost without any explicit consent, warning, or trust boundary validation. Even though the endpoint is local, localhost services can be proxied, exposed, logged, or operated by another local user/process, creating a real confidentiality risk for sensitive mail content.

Ssd 1

Medium
Confidence
96% confidence
Finding
Untrusted email content is embedded directly into the LLM prompt, so an attacker can place natural-language instructions in an email body that attempt to override the system task or manipulate scoring and escalation. This can cause misclassification of malicious or important emails, poison automated workflows, and increase false escalations or suppression of real alerts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal